10.2.3.2. Address group setting

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1

What is an address group?

As one of the rules which are written for setting packet filtering with the firewall function, it is possible to specify whether to allow communications with a registered list of IP addresses.
This list of IP addresses registered is referred to as an address group.
This list of IP addresses registered is referred to as an address group.

Note

Up to 32 address groups can be set. Groups beyond this number cannot be created.

Setting for grouping multiple IP addresses

Creating a group composed of multiple IP addresses

Presumed case for sample setting

  • To create a group composed of IP addresses “192.168.2.12” and “192.168.2.13”

  • To name the address group g1

Command to be entered with CLI

set resources group address-group g1 address '192.168.2.12'
set resources group address-group g1 address '192.168.2.13'
The configuration after completion of appropriate settings is as follows.
resources {
      group {
              address-group g1 {
                      address 192.168.2.12
                      address 192.168.2.13
              }
      }
}

Setting for adding one IP address to multiple groups

An IP address can belong to multiple lists.

Presumed case for sample setting

  • To create a group composed of IP addresses “192.168.2.12” and “192.168.2.13”

  • To name the address group above g1

  • To create a group composed of IP addresses “192.168.2.12” and “192.168.2.6”

  • To name the address group above g2

Command to be entered with CLI

set resources group address-group g1 address '192.168.2.12'
set resources group address-group g1 address '192.168.2.13'
set resources group address-group g2 address '192.168.2.12'
set resources group address-group g2 address '192.168.2.6'
The configuration after completion of appropriate settings is as follows.
resources {
       group {
               address-group g1 {
                       address 192.168.2.12
                       address 192.168.2.13
               }
               address-group g2 {
                       address 192.168.2.12
                       address 192.168.2.6
               }
       }
 }

Setting for grouping a range (network) of IP addresses

A specified range of IP address can belong to a list as an address group.

Presumed case for sample setting

  • To create an address group for each of IP address ranges (networks) “192.168.2.4/30” and “192.168.2.12/30”

  • To name the address group above g3

Note

For “192.168.2.4/30”, four IP address “192.168.2.4” to “192.168.2.7” are subjected.
For “192.168.2.12/30”, four IP address “192.168.2.12” to “192.168.2.15” are subjected.

Command to be entered with CLI

set resources group address-group g3 address '192.168.2.4/30'
set resources group address-group g3 address '192.168.2.12/30'
The configuration after completion of appropriate settings is as follows.
resources {
      group {
              address-group g3 {
                      address 192.168.2.4/30
                      address 192.168.2.12/30
              }
      }
}

Setting for using a created group for packet filtering

Define the address group and set IP addresses to be included in the group.
Make settings to accept communications originated from IP addresses registered in an address group and to reject communications originated from other IP addresses by means of the interface of the firewall.
and to reject communications originated from other IP addresses
by means of the interface of the firewall.

Note

The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • To forward communications originated from only IP addresses “192.168.2.6” and “192.168.2.13”

  • To set the addresses above as an address group

  • To enable for traffic which is input to interface “dp0s5”

  • To reject all communications originated from IP addresses which do not belong to address groups

Configuration diagram
NATの図

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting “192.168.2.6” and “192.168.2.13” as members of address group g1
3.Setting rule 10 by which packets originated from address group g1 are accepted
4.Setting for rejecting packets originated from IP addresses other than those in address group g1
5.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set resources group address-group g1 address '192.168.2.13'
set resources group address-group g1 address '192.168.2.6'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 source address 'g1'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
resources {
       group {
               address-group g1 {
                       address 192.168.2.13
                       address 192.168.2.6
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               source {
                                       address g1
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) originated from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded
and communications (Ping) originated from “192.168.2.12” not belonging to address group g1 failed
and allows to confirm that the packet filtering function worked.
#From 192.168.2.6 -> OK

test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=3.07 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=1.19 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.78 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=1.43 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=1.78 ms
64 bytes from 192.168.3.3: icmp_seq=6 ttl=63 time=1.31 ms
64 bytes from 192.168.3.3: icmp_seq=7 ttl=63 time=1.56 ms
64 bytes from 192.168.3.3: icmp_seq=8 ttl=63 time=1.54 ms
64 bytes from 192.168.3.3: icmp_seq=9 ttl=63 time=1.48 ms
^C
--- 192.168.3.3 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8013ms
rtt min/avg/max/mdev = 1.194/1.684/3.071/0.524 ms

#From 192.168.2.12 -> NG

test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7055ms

Setting for using a created group for NAT

Define the address group and set IP addresses to be included in the group.
When the NAT function is used,
an address group can be used as a condition for network address conversion.

Presumed case for sample setting

  • To subject communications originated from IP addresses “192.168.2.6” and “192.168.2.12” to SourceNAT

  • To set the addresses above as an address group

  • To enable for traffic which is output from interface “dp0s6”

Configuration diagram
NAT条件がアドレスグループ

Setting flow in a presumed case

1.Naming the address group g1 and registering IP addresses “192.168.2.6” and “192.168.2.12”
2.Setting for network address conversion for the case where the source belongs to address group g1 and also output from interface “dp0s6” occurs.

Command to be entered with CLI

set resources group address-group g1 address '192.168.2.6'
set resources group address-group g1 address '192.168.2.12'
set service nat source rule 10 outbound-interface 'dp0s6'
set service nat source rule 10 source address 'g1'
set service nat source rule 10 translation address 'masquerade'
set service nat destination rule 10 destination address '192.168.2.50'
set service nat destination rule 10 inbound-interface 'dp0s5'
set service nat destination rule 10 translation address '192.168.3.3'
The configuration after completion of appropriate settings is as follows.
 resources {
        group {
                address-group g1 {
                        address 192.168.2.6
                        address 192.168.2.12

                }
        }
 }
 service {
        nat {
                destination {
                        rule 10 {
                                destination {
                                        address 192.168.2.50
                                }
                                inbound-interface dp0s5
                                translation {
                                        address 192.168.3.3
                                }
                        }
                }
                source {
                        rule 10 {
                                outbound-interface dp0s6
                                source {
                                        address g1
                                }
                                translation {
                                        address masquerade
                                }
                        }
                }
        }

}

Operation check result

The verification result log below allows to recognize that communications (Ping) originated from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded
For communications (HTTP GET) to “192.168.2.50”, access to the target sever “192.168.3.3” succeeded
through the following process: when interface “dp0s5” receives packets, the destination IP address is converted into “192.168.3.3”;
then, when packets are output from interface “dp0s6” to “192.168.3.3”,
conversion into “192.168.3.5” is performed if the source IP address belongs to the address group.
Application of the address group to the NAPT conversion rule is known through the confirmation of the access log of the server
which shows that access was made from “192.168.3.5”.

Note

For NAT operations and configuration, see the descriptions for the NAT function in the network function setting example.

    #From client

    test@ubu01:~$ wget -O - http://192.168.2.50/ > /dev/null
    --2016-07-29 13:46:17--  http://192.168.2.50/
    192.168.2.50:80 Connecting ... Connected
200 OK
    Length: 616 [text/html]
    Save `STDOUT'

    100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

    2016-07-29 13:46:17 (161 MB/s) - stdout へ出力完了 [616/616]

    #web access

    test@web1:~$ tail /usr/local/nginx/logs/access.log

    192.168.2.6 - - [26/Jul/2016:11:29:10 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
    192.168.2.6 - - [29/Jul/2016:10:50:25 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
    192.168.3.5 - - [29/Jul/2016:10:53:59 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
    192.168.3.5 - - [29/Jul/2016:11:40:57 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"
    192.168.3.5 - - [29/Jul/2016:13:46:16 +0900] "GET / HTTP/1.1" 200 616 "-" "Wget/1.15 (linux-gnu)" "-"