Static routing – Amer Networks E5Web GUI User Manual

second network must also have their Default Gateway set to 10.2.2.1 in order to reach the
Clavister Security Gateway.

This feature is normally used when an additional network is to be added to an interface but it is
not desirable to change the existing IP addresses of the network. From a security standpoint,
doing this can present significant risks since different networks will typically be joined together
through a switch which imposes no controls on traffic passing between those networks. Caution
should therefore be exercised before using this feature.

All Traffic Must have Two Associated Routes

Something that is not intuitive when trying to understand routing in cOS Core is the fact that all
traffic must have two routes associated with it. Not only must a route be defined for the
destination network of a connection but also for the source network.

The route that defines the source network simply says that the source network is found on a
particular interface. When a new connection is opened, cOS Core performs a check known as a
reverse route lookup which looks for this route. The source network route is not used to perform
routing but instead as a check that the source network should be found on the interface where it
arrived. If this check fails, cOS Core generates a Default Access Rule error log message.

Even traffic destined for Core (cOS Core itself ), such as ICMP ping requests must follow this rule of
having two routes associated with it. In this case, the interface of one of the routes is specified as
Core.

4.2.2. Static Routing

This section describes how routing is implemented in cOS Core, and how to configure static
routing.

cOS Core supports multiple routing tables. A default table called main is predefined and is
always present in cOS Core. However, additional and completely separate routing tables can be
defined by the administrator to provide alternate routing.

Extra user-defined routing tables can be used in two ways:

•

Virtual Routing associates interfaces with a particular routing table. This enables a single
cOS Core installation to act as multiple virtual systems. Communication between these
systems is achieved with Loopback Interfaces (see Section 4.5, “Virtual Routing” and also
Section 3.4.7, “Loopback Interfaces”).

•

Policy Based Routing Rules can be defined which decide which of the routing tables will
deal with certain types of traffic (see Section 4.3, “Policy-based Routing”).

The Route Lookup Mechanism

The cOS Core route lookup mechanism has some slight differences to how some other router
products work. In many routers, where the IP packets are forwarded without context (in other
words, the forwarding is stateless), the routing table is scanned for each and every IP packet
received by the router. In cOS Core, packets are forwarded with state-awareness, so the route
lookup process is tightly integrated into the cOS Core stateful inspection mechanism.

When an IP packet is received on any of the interfaces, the connection table is consulted to see if
there is an already open connection for which the received packet belongs. If an existing
connection is found, the connection table entry includes information on where to route the
packet so there is no need for lookups in the routing table. This is far more efficient than
traditional routing table lookups, and is one reason for the high forwarding performance of cOS
Core.

Chapter 4: Routing

257