| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
The most basic form of routing is known as Static Routing. The term "static" is used because most entries in a routing table are part of the system's static configuration. They usually remain unchanged during long periods of system operation.
Due to this manual approach, static routing is most appropriate to use in network deployments where addresses are fairly fixed and where the amount of connected networks are limited to a few.
This section describes how to configure static routing and also explains how routing is implemented in cOS Stream.
Multiple routing tables are supported. A default table called main is predefined and is always present in cOS Stream. However, additional and completely separate routing tables can be defined by the administrator to provide alternate routing.
The Route Lookup Mechanism
The route lookup mechanism has some slight differences to how some other router products work. In many routers, where the IP packets are forwarded without context (in other words, the forwarding is stateless), the routing table is scanned for each and every IP packet received by the router. Packets are forwarded with state-awareness, so the route lookup process is tightly integrated into the stateful inspection mechanism.When an IP packet is received on any of the interfaces, the list of active flows is consulted to see if there is already a flow to which the received packet belongs. If an existing flow is found, the flow information includes where to route the packet so there is no need for further lookups in the routing table. This is far more efficient than traditional routing table lookups, and is one reason for the high forwarding performance of cOS Stream.
If an established flow cannot be found, then the routing table is consulted. It is important to understand that the route lookup is performed before any of the various policy rules get evaluated (for example, IP rules). Consequently, the destination interface is known at the time cOS Stream decides if the flow should be allowed or dropped. This design allows for a more fine-grained control in security policies.
Route Notation
The Clavister NetShield Firewall uses a slightly different way of describing routes compared to most other systems but this way is easier to understand, making errors less likely.Many other products do not use the specific interface in the routing table, but specify the IP address of the interface instead. The routing table below is from a Microsoft Windows workstation:
====================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 13 d4 51 8d dd ...... Intel(R) PRO/1000 CT Network
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===================================================================
===================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 20
10.0.0.0 255.0.0.0 10.4.2.143 10.4.2.143 1
10.4.2.143 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.4.2.143 10.4.2.143 50
85.11.194.33 255.255.255.255 192.168.0.1 192.168.0.10 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 20
192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 20
224.0.0.0 240.0.0.0 10.4.2.143 10.4.2.143 50
224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 20
255.255.255.255 255.255.255.255 10.4.2.143 10.4.2.143 1
255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1
Default Gateway: 192.168.0.1
===================================================================
Persistent Routes:
None
The corresponding routing table in cOS Stream will be similar to the following:
Flags Network Iface Gateway Local IP Metric
----- ------------------ -------- -------------- --------- ------
192.168.0.0/24 if1 20
10.0.0.0/8 wan 1
0.0.0.0/0 wan 192.168.0.1 20
Note that multicast routes have not been included in the list but are displayed in the Microsoft listing.
Route Definition
The method of defining routes makes the reading and understanding of routing information easier.A further advantage with the Clavister NetShield Firewall approach is that the administrator can directly specify a gateway for a particular route and the following is true:
A separate route does not need to be defined that includes the gateway IP address.
It does not matter even if there is a separate route which includes the gateway IP address and that routes traffic to a different interface.
Composite Subnets can be Specified
Another advantage with the Clavister NetShield Firewall approach to route definition is that it allows the administrator to specify routes for destinations that are not aligned with traditional subnet masks.For example, it is perfectly legal to define one route for the destination IPv4 address range 192.168.0.5 to 192.168.0.17 and another route for IP addresses 192.168.0.18 to 192.168.0.254. This is a feature that makes cOS Stream highly suitable for routing in highly complex network topologies.
Displaying Routing Tables
It is important to note that routing tables that are initially configured by the administrator can have routes added, deleted and changed automatically during live operation and these changes will appear when the routing table contents are displayed.These routing table changes can take place for different reasons. For example, if dynamic routing with OSPF has been enabled then routing tables will become populated with new routes learned from communicating with other OSPF routers in an OSPF network. Other events such as route failover can also cause routing table contents to change over time.
Example 6.3. Displaying the main Routing Table
This example illustrates how to display the contents of the default main routing table.
Command-Line Interface
To see the configured routing table:
System:/>cc RoutingTable mainSystem:/RoutingTable/main>show Route # Interface Network Gateway Local IP - --------- -------- ------------- -------- 1 wan all-nets 213.124.165.1 2 if1 if1_net 3 wan wan_net
To see the active routing table enter:
System:/> routes
Routing table: main
Flags Network Iface Gateway Local IP Metric
----- ------------------ ------- --------------- -------- ------
192.168.0.0/24 if1 0
213.124.165.0/24 wan 0
0.0.0.0/0 wan 213.124.165.1 0![[Tip]](images/tip.png) |
Tip: The CLI cc command may be needed first |
|---|---|
|
In the CLI example above, it was necessary to first select the name of a specific routing table with the cc command (meaning change category or change context) before manipulating individual routes. This is necessary for any category that could contain more than one named group of objects. |
The all-nets Route
The most important route defined is the route to the network all-nets, which includes all IPv4 and IPv6 addresses. This route typically routes traffic to an ISP for public Internet access. In most examples in this publication, the all-nets-ip4 address object is used, which is the IPv4 subset of the all-nets address. The Clavister NetShield Firewall automatically populates the active routing table with Core Routes. These routes are present for the system to understand where to route traffic that is destined for the system itself. There is one route added for each interface in the system. In other words, two interfaces named if1 and wan, and with IPv4 addresses 192.168.0.10 and 193.55.66.77, respectively, will result in the following routes:
| Route # | Interface | Destination | Gateway |
|---|---|---|---|
| 1 | core | 192.168.0.10 | |
| 2 | core | 193.55.66.77 |
When the system receives an IP packet whose destination address is one of the interface IPs, the packet will be routed to the core interface. In other words, it is processed by cOS Stream itself.
There is also a core route added for all multicast addresses:
| Route # | Interface | Destination | Gateway |
|---|---|---|---|
| 1 | core | 224.0.0.0/4 |
