Amer Networks E5Web GUI User Manual

interface. As the Layer 3 Cache is only used for IP traffic, Layer 3 Cache entries are stored as single
host entries in the routing table.

For each IP packet that passes through the Clavister Security Gateway, a route lookup for the
destination is done. If the route of the packet matches a Switch Route or a Layer 3 Cache entry in
the routing table, cOS Core knows that it should handle this packet in a transparent manner. If a
destination interface and MAC address is available in the route, cOS Core has the necessary
information to forward the packet to the destination. If the route was a Switch Route, no specific
information about the destination is available and the security gateway will have to discover
where the destination is located in the network.

Discovery is done by cOS Core sending out ARP as well as ICMP (ping) requests, acting as the
initiating sender of the original IP packet for the destination on the interfaces specified in the
Switch Route. If an ARP reply is received, cOS Core will update the CAM table and Layer 3 Cache
and forward the packet to the destination.

If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically. Using
the discovery mechanism of sending ARP and ICMP requests, cOS Core will rediscover
destinations that may have been flushed.

Enabling Transparent Mode

To enable cOS Core transparent mode, the following steps are required:

1.

The interfaces that are to be transparent should be first collected together into a single
Interface Group object. Interfaces in the group should be marked as Security transport
equivalent if hosts are to move freely between them.

2.

A Switch Route is now created in the appropriate routing table and the interface group
associated with it. Any existing non-switch routes for interfaces in the group should be
removed from the routing table.

For the Network parameter in the switch route, specify all-nets or alternatively, specify a
network or range of IP addresses that will be transparent between the interfaces (this latter
option is discussed further below).

3.

Create the appropriate IP rules in the IP rule set to allow the desired traffic to flow between
the interfaces operating in transparent mode.

If no restriction at all is to be initially placed on traffic flowing in transparent mode, the
following single IP rule could be added but more restrictive IP rules are recommended.

Action

Src Interface

Src Network

Dest Interface

Dest Network

Service

Allow

any

all-nets

any

all-nets

all_services

Restricting the Network Parameter

As cOS Core listens to ARP traffic, it continuously adds single host routes to the routing table as it
discovers on which interface IP addresses are located. As the name suggests, single host routes
give a route for a single IP address. The number of these routes can therefore become large as
connections are made to more and more hosts.

A key advantage of specifying a network or a range of IP addresses instead of all-nets for the
Network parameter is that the number of routes automatically generated by cOS Core will be
significantly smaller. A single host route will only be added if the IP address falls within the
network or address specified. Reducing the number of routes added will reduce the processing
overhead of route lookups.

Chapter 4: Routing

342