Chapter 3: Interfaces

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

An Interface is an important logical building block in cOS Stream. All network traffic that transits through, originates from or is terminated in a Clavister NetShield Firewall, does so through one or more interfaces.

Source and Destination Interfaces

An interface can be viewed as a doorway through which network traffic passes to or from cOS Stream. An interface has one of two functions:

The Source Interface

When traffic arrives through an interface, that interface is referred to in cOS Stream as the source interface (also sometimes known as the receiving or incoming interface).
The Destination Interface

When traffic leaves after being checked against cOS Stream's security policies, the interface used to send the traffic is referred to in cOS Stream as the destination interface (also sometimes known as the sending interface).

All traffic passing through cOS Stream has both a source and destination interface. As explained in more depth later, the special logical interface core is used when cOS Stream itself is the source or destination for traffic.

Interface Types

The Clavister NetShield Firewall supports a number of interface types, which can be divided into the following groups:

Ethernet Interfaces

Each Ethernet interface represents a physical or virtual Ethernet port. All network traffic that originates from or enters a Clavister NetShield Firewall will pass through one of the physical interfaces.

The Clavister NetShield Firewall currently supports Ethernet as the only physical interface type.

Tunnel Interfaces

Tunnel interfaces are used when network traffic is being tunneled between the system and another tunnel end-point in the network, before it gets routed to its final destination. An IPsec tunnel object is such an interface and IPsec is described further in Section 13.2, IPsec Components.

To accomplish tunneling, additional headers are added to the traffic that is to be tunneled. Furthermore, various transformations can be applied to the network traffic depending on the type of tunnel interface. For example, when routing traffic over an IPsec interface, the payload is usually encrypted to achieve confidentiality.

All Interfaces are Logically Equivalent

Even though the different types of interfaces may be very different in the way they function, cOS Stream treats all interfaces as logically equivalent. This is an important and powerful concept and means that all types of interfaces can be used almost interchangeably in the various rule sets and other configuration objects. This results in a high degree of flexibility in how traffic can be examined, controlled and routed.

An extension of this equivalency concept is that no interface is assumed to be connected to trusted "inside" networks or to untrusted "outside" networks. The administrator makes these decisions and implements security policies accordingly.

Interfaces have Unique Names

Each interface in cOS Stream is given a unique name to be able to identify and select it for use with other objects in a configuration. Some interface types, such as Ethernet interfaces, are already provided by cOS Stream with relevant default names that are possible to modify if required.

The any and core Interfaces

In addition, cOS Stream provides two special logical interfaces which are named any and core. The meaning of these are:

any represents all possible interfaces including the core interface.
core indicates that it is cOS Stream itself that will deal with traffic to and from this interface. An example of the use of core is when cOS Stream responds to ICMP "Ping" requests. By specifying the Destination Interface of an IP rule or route as core, cOS Stream will then know that it is itself that is the ultimate destination of the traffic.

3.1. Ethernet Interfaces

The Clavister NetShield Firewall supports Ethernet, Fast Ethernet, Gigabit Ethernet and 10 Gigabit Ethernet interfaces as defined by the IEEE 802.3 standards.

Ethernet Frames

With Ethernet, devices sends data as Ethernet frames and other devices "listen" to determine if they are the intended destination for any of these frames. A frame is a sequence of bits which specify the originating device plus the destination device plus the data payload along with error checking bits. A pause between the sending of individual frames allows devices time to process each frame before the next arrives and this pause is progressively smaller with the faster data transmission speeds.

The EthernetInterface and EthernetDevice Object Types

There are two types of configuration objects that are used to manage Ethernet interface operation: EthernetInterface and EthernetDevice. The EthernetInterface object is used to configure the logical properties of Ethernet operation such as IP address.

The EthernetDevice object is used to specify low level, driver related properties such as link-speed and duplex. It is the EthernetInterface object type that is covered by this section.

Ethernet Interface Properties

The following are the principal properties for an EthernetInterface object:

Interface Name

The names of the Ethernet interfaces are predefined by the system, and are mapped to the names of the physical ports; a system with a wan port will have an Ethernet interface named wan and so on.

The names of the Ethernet interfaces can be changed to better reflect their usage. For example, if an interface named dmz is connected to a wireless LAN, it might be convenient to change the interface name to wireless. For maintenance and troubleshooting, it is recommended to tag the corresponding physical port with the new name.

IP Addresses

Each Ethernet interface is required to have an Interface IP Address. The interface IP address is used as the primary address for communicating with the system through the specific Ethernet interface.

More than one IP address can be allocated to an Ethernet interface.

IPAddress objects are usually used to define the IP addresses of Ethernet interfaces. Those objects are normally auto-generated by the system. This is discussed further in Section 5.3, Auto-generated Address Objects. When cOS Stream is first started, all unconfigured Ethernet interfaces will be assigned default addresses from the localhost sub-network (127.0.0.0/8).
MTU

This determines the maximum size of packets in bytes that can be sent on this interface. By default, the interface uses the maximum size supported.
HACritical/Sync

For HA cluster nodes it is important to identify those interfaces which are critical and those which are designated as sync interfaces. This is explained further in Chapter 22, High Availability.

Listing Ethernet Interfaces

To list all Ethernet interfaces, the CLI command is:

System:/> show Interface EthernetInterface

   Interface Name  IP Addresses  Routing Table
   --------------  ------------  -------------
   if1             10.1.50.102   main
   if2             10.6.58.100   main

The listing shows there are two interfaces. The IP address allocated to each is shown along with the routing table that is associated with them.

Changing the IP Address of an Ethernet Interface

To change the IP address on an interface, there are two methods:

Change the IP address directly on the interface. For example, if we want to change the IPv4 address of the lan interface to 10.1.1.2, we could use the CLI command:
```
System:/> set Interface EthernetInterface if1 IPAddress=10.1.1.2
```
As explained next, this way of changing the IP address is not recommended.
Instead, the if1_ip object in the Address Book should be assigned the new address since it is this object that is used by many other objects such as IP rules. The CLI command to do this would be:
```
System:/> set Address IPAddress if1_ip Address=10.1.1.2
```

Assigning Multiple IP Addresses to an Interface

To assign multiple IPv4 addresses to an interface, assign multiple addresses to the interface's IP object in the address book. Assuming that two IPv4 addresses are defined in the address book as the objects ip1 and ip2 then the CLI for assignment would be:

System:/> set Address IPAddress if1_ip Address=ip1,ip2

If these multiple addresses belong to different networks then it will also be necessary to add an additional route in the relevant routing table since a route will only be added automatically for the first address.

When ip1 and ip2 are both IPv4 addresses belonging to different networks then those networks can also be assigned to the default network object for the interface. Using the example above, the CLI would be:

System:/> set Address IPAddress if1_net Address=ip1_net,ip2_net

Suppose that ip3 is an IPv6 address that is to be assigned to the if1 interface along with the IPv4 address object ip1. Assume also that there is already a corresponding network object defined called ip3_net. In this case a new address object for the interface network must also be defined. First, set the IP addresses for the interface as before:

System:/> set Address IPAddress if1_ip Address=ip1,ip3

Now, set the pre-existing IPv4 address object for the if1 interface network:

System:/> set Address IPAddress if1_net Address=ip1_net

No IPv6 network object exists for the interface so it must be added:

System:/> add Address IPAddress if1_ip6_net Address=ip3_net

Routes for IPv6 interface addresses are not added automatically so a route will also need to be added.

There is no limit to the number of addresses that can be assigned to an interface and this is true for any interface, not just Ethernet interfaces.

Enabling the DHCP Client Function

By default, all Ethernet interfaces have their IPv4 addresses allocated manually. However, any interface can have DHCP client functionality enabled for automatic assignment of IPv4 addresses and this is discussed further in Section 21.3, DHCP Client.

Enabling and Disabling an Ethernet Interface

To disable the interface if1 so that no traffic can flow through it, the CLI command is:

System:/> set Interface EthernetInterface if1 -disable

To enable the disabled interface, the command is:

System:/> set Interface EthernetInterface if1 -enable

Null Interfaces

If the Type property of an EthernetInterface is set to the value Null then the object can be said to be a null interface.

A null interface normally occurs because of either of the following:

The physical interface hardware is no longer present. This might occur when an expansion module is removed from hardware. In a virtual environment the equivalent to this is if a virtual interface is removed from the virtual machine.
The Ethernet interface becomes part of the list of interfaces assigned to the LAGMembers when the link aggregation feature is configured. This is discussed further in Section 3.7, Link Aggregation.

Regardless how a null interface comes about, it may still be referenced by other parts of the configuration. These references will still be valid but any object, such as an IPRule, that references a null interface will usually not perform any function. For example, if traffic is routed to a null interface then the traffic would simply go nowhere.

If the Type property reverts back to Ethernet then the interface will revert back to its original function.

The ifstat command can be used to show all null interfaces but only with the parameter -type set to a value of all or null. For example:

System:/> ifstat -type=null
	
Interface  Zone  IP Address     Type      Routing
                                          Table
---------  ----  -------------  ------    --------
if2              192.168.0.1    Null