Amer Networks E5Web GUI User Manual

•

Routing Mode using non-switch routes.

•

Transparent Mode using switch routes.

With non-switch routes, the Clavister Security Gateway acts as a router and routing operates at
layer 3 of the OSI model. If the security gateway is placed into a network for the first time, or if
network topology changes, the routing configuration must therefore be checked and adjusted
to ensure that the routing table is consistent with the new layout. Reconfiguration of IP settings
may be required for pre-existing routers and protected servers. This works well when
comprehensive control over routing is desired.

With switch routes, the Clavister Security Gateway operates in transparent mode and resembles
a OSI Layer 2 Switch in that it screens IP packets and forwards them transparently to the correct
interface without modifying any of the source or destination information at the IP or Ethernet
levels. This is achieved by cOS Core keeping track of the MAC addresses of the connected hosts
and cOS Core allows physical Ethernet networks on either side of the Clavister Security Gateway
to act as though they were a single logical IP network. (See Appendix D, The OSI Framework for an
overview of the OSI layer model.)

Two benefits of transparent mode over conventional routing are:

•

A user can move from one interface to another in a "plug-n-play" fashion, without changing
their IP address (assuming their IP address is fixed). The user can still obtain the same services
as before (for example HTTP, FTP) without any need to change routes.

•

The same network address range can exist on several interfaces.

Note: Transparent and Routing Mode can be combined

Transparent mode and routing mode can operate together on a single Clavister Security
Gateway. Switch Routes can be defined alongside standard non-switch routes although
the two types cannot be combined for the same interface. An interface operates in one
mode or the other.

It is also possible to create a hybrid case by applying address translation on otherwise
transparent traffic.

How Transparent Mode Functions

In transparent mode, cOS Core allows ARP transactions to pass through the Clavister Security
Gateway, and determines from this ARP traffic the relationship between IP addresses, physical
addresses and interfaces. cOS Core remembers this address information in order to relay IP
packets to the correct receiver. During the ARP transactions, neither of the endpoints will be
aware of the Clavister Security Gateway.

When beginning communication, a host will locate the target host's physical address by
broadcasting an ARP request. This request is intercepted by cOS Core and it sets up an internal
ARP Transaction State entry and broadcasts the ARP request to all the other switch-route
interfaces except the interface the ARP request was received on. If cOS Core receives an ARP
reply from the destination within a configurable timeout period, it will relay the reply back to the
sender of the request, using the information previously stored in the ARP Transaction State entry.

During the ARP transaction, cOS Core learns the source address information for both ends from
the request and reply. cOS Core maintains two tables to store this information: the Content
Addressable Memory (CAM) and Layer 3 Cache. The CAM table tracks the MAC addresses
available on a given interface and the Layer 3 cache maps an IP address to MAC address and

Chapter 4: Routing

341