3. LA REGULACIÓN DEL TRABAJO A DISTANCIA: REAL DECRETO-LEY 28/2020, DE
3.4. Ámbito de aplicación del RDL 28/2020 y su dilatada entrada en vigor
VPN concentrator 194.204.1. 22 212.217.1.12 VPN alternate IP dynamic IP incoming UDP 500/4500 sessions not supported on dynamic IP dynamic IP outgoing UDP 500 and IPSEC-ESP sessions only 194.204.1.… 212.217.1.…
Incoming web server & 194.204.1. 115 212.217.1.13 Web and FTP alternate IP dynamic IP incoming TCP 80 sessions not supported on dynamic link
outgoing FTP access dynamic IP outgoing FTP 21 (and data sessions) only
… …
Outgoing DNS requests 194.204.1. 127 14 DNS alternate IP dynamic IP outgoing UDP 53 sessions only Reserved, broadcast IP 194.204.1. 128 212.217.1.15 share the same alternate IP address with multiple primary link services using different primary link IP addresses.
NOTE: With version 3.4.0 and higher of the EOS firmware, you can load balance multiple source IP addresses of the primary link with a single alternate IP address without conflict of source ports with masquerading (instead of overloading).
Of course, the traffic being balanced must support source port translation.
Before configuring the Elfiq Link LB with the information in the IP association table, an introduction an important concept is required: the access-lists.
4.4.2. Access Lists
4.4.2.1. Acces List Rules
An Elfiq access list (ACL) is a set of rules that are used for traffic selection in the VFI stack. Rules can be very broad and pick-up a lot of traffic or very narrow and tailored to pick-up traffic flowing only between two specific hosts for a given protocol type. Different types of access-lists are configured to take action at different locations of the Link LB VFI stack and enabled or disabled via the features. Depending on the feature, the "action" assigned to sessions selected by the ACL will be different. Refer to section 4.2.2 for additional information on the VFI stack.
The content of the configuration will show all of the ACLs grouped by their layer 4 protocol (TCP, UDP, IPSEC-ESP, etc) followed by the layer 3 ACLs that will catch IP packets.
This is the list of supported protocols for access-lists:
UDP
L2TP
As you can see, the TCP, UDP and ICMP protocols each have their own set of access-lists. If a packet does not match the TCP, UDP, ICMP, IPSEC-ESP protocols, it will go straight to the IP access-lists. The lists have been separated by protocol to provide a much higher level of performance.
In addition to the protocol, an access-list is uniquely defined with a combination of source IP/bitmask and port, destination IP/mask and port. Those five elements in an access-list can be very wide of very narrowed to a specific port and protocol between two IP addresses. The format is [network ip]/[netmask-bits]:[start port]-[stop port].
ACLs are always checked in a top-down fashion, once a match is found, the action assigned to the ACL is performed. The rest of the list will never be re-entered after a selection has been made, no matter the outcome of the "action". If the
"action" cannot be carried out for the first matching ACL, then this session will not be modified by the ACLs.
The order in which you list the ACLs rules are very important and should always be from narrow to broad. If you program one broad rule encompassing all IP addresses, a narrow rule listed after would never be used by the Link LB since all sessions would be selected by the broad rule first.
IMPORTANT: Each access-list rule has an index number and access-lists are verified in order. The first rule that match the IP packet is applied.
ACL numbering is handled dynamically in the Link LB, all ACLs have an ID number and those are rearranged whenever you add or delete rules. Adding a new ACL with an ID that was already used will insert the new ACL at the ID specifed, incrementing the rest of the list IDs by one and thus sending the existing rules lower in the list. In the same fashion, deleting a rule will decrement the rest of the list's IDs by one sending the remaining rules higher in the list.
NOTE: Incoming access-lists are often from any source IP address and outgoing access-lists are often to any destination IP address. The keyword any is used to represent any IP address (0.0.0.0/0:0-0)
4.4.2.2. Types of Access Lists
The Elfiq Link Balancer allows the creation of various types of access-lists. Each one is being verified at different locations of the VFI stack.
ARP: ARP access-lists give you the possibility to redirect traffic to specified hosts or mac addresses.
NAT: NAT access-lists permit to translate source IP (nat in) or translate the destination IP (nat out) and/or destination port (nat out). They are used for associating IP addresses between the primary link and alternate link(s). For NAT balancing, they are also the rules to select algorithms for outgoing traffic.
Persistence: Persistence access-lists serve the purpose of keeping specified protocols, hosts or ports on a single network path; which in our case means a single GMAC, or link, for the complete duration of a session. This is especially useful with protocols like HTTPS, where multiple short sessions will be created when a user navigates through a secured site. Depending on the chosen balancing algorithm, running without persitence rules would entail risks of splitting sessions that should have been logically kept toghether on a single link. The outcome of this session splitting is that the remote server would see a client coming in from multiple IP addresses with no way to ensure that those sessions belong to the same client and thus killing all alternate sessions and breaking the sessions. With the addition of a persistence access-list, you can therefore enable the Link LB to keep all related sessions on a specific link, for a determined period of time.
Persistence access-lists persist triggers and protofix are the three VFI elements to ensure compatibility in a link balancing environment.
Debug: Debugging access-lists are used to specify which kind of traffic are traced and sent to the debug log.
Filtering: Filtering access-lists purpose is to filter incoming and outgoing traffic, allowing you to prevent undesired packets from reaching or leaving your network. Access-lists in the Elfiq Link Balancer can provide the first layer of security in your network infrastructure, blocking packets before they even reach your corporate firewall.
IMPORTANT: The Link LB is not meant to be used as a replacement for a corporate firewall. Instead, the use of its security features, such as access-lists and shunning engine are meant to provide an extra layer of security. Some of your firewall’s features, such as stateful packet filtering and VPN capabilities, are not part of the features of the Link LB and are meant to stay on your corporate firewall. Therefore, since there is no stateful packet filtering in the Link LB, all the filtering rules created by the access-lists will either allow the packets to pass, or drop them. Any extra filtering will need to be done on the firewall.
WARNING: Filtering access-lists in the Elfiq Link Balancer will drop packets as a default policy. Therefore, before enabling the filtering access-list feature in your VFI, you need to make sure to create all the rules needed to allow your traffic to pass through it. Of course, disabling the access-list feature will not alter your configurations, but will enable all packets to pass through the Link LB.
Nattp: Nattp access-lists create tunnel encapsulation for point to point communication between two Link LBs. This allows you to encapsulate traffic that is normally not routable. It is especially used with the GeoLink option.
Channel: Channel access-lists are used to create static communication paths between two VFI (also called inter-VFI communication).
TAG: TAG access-lists provide policy based routing. In opposition to NAT balancing, no changes are made to the IP addresses; a dynamic routing table is applied per session and sessions are tracked to ensure consistent load-balancing decisions.
4.4.2.3. Display Access Lists
You can view all access-lists with the
sh [access rule]
commands.sh acl arp
ARP access-listssh acl nat in
Outgoing NAT balancingsh acl nat out
Associating IP address between links for incoming traffic; required for incoming NAT balancingsh acl per in
Outgoing persistence rulessh acl debug in/out
Selecting traffic in debug modesh acl in
Outgoing filtering rulessh acl out
Incoming filtering rulessh acl nattp in
NAT tunneling protocol encapsulation between two Link LB unitssh acl channel in/out
Inter-VFI channel rulessh acl tag in
Outgoing TAG balancing4.4.2.4. Remove Access Lists
Each type of access-list has a command to remove a specific entry. The commands are:
no acl arp [ip] [idx]
Remove an arp ip access-list by index
no acl channel in [ip|icmp|tcp|udp|...] [idx]
Remove an Channel inside ip access-list by index
no acl channel out [ip|icmp|tcp|udp|...] [idx]
Remove an Channel outside ip access-list by index
no acl debug in [ip|icmp|tcp|udp|...] [idx]
Remove a debug inside ip access-list by index
no acl debug out [ip|icmp|tcp|udp|...] [idx]
Remove a debug outside ip access-list by index
no acl in [ip|icmp|tcp|udp|...] [idx]
Remove an inside ip filtering access-list by index
no acl nat in [ip|icmp|tcp|udp|...] [idx]
Remove a nat inside ip access-list by index
no acl nat out [ip|icmp|tcp|udp|...] [idx]
Remove a nat outside ip access-list by index
no acl out [ip|icmp|tcp|udp|...] [idx]
Remove an outside ip filtering access-list by index
no acl per in [ip|icmp|tcp|udp|...] [idx]
Remove an persistence inside ip access-list by index
no acl tag in [ip|icmp|tcp|udp|...] [idx]
Remove a tag inside ip access-list by index
All access-lists of a specific type can be removed at once using:
clr acl [type] [in|out] [proto]
Possible types are: arp, channel, debug, nat, nattp, per and tag. If not specified, the command is applied to level 3 filtering access-lists.