WiNG 5.X How To Policy Based Routing Cache Redirection

Transcription

WiNG 5.X How To Policy Based Routing Cache Redirection
WiNG 5.X How To
Policy Based Routing Cache
Redirection
Part No. TME-05-2012-01 Rev. A
MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered
trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are
the property of their respective owners.
© 2012 Motorola Solutions, Inc. All Rights Reserved.
Table of Contents
Table of Contents ............................................................................................................................ 3
1.
Introduction .............................................................................................................................. 4
1.1
2.
3.
4.
Overview........................................................................................................................... 5
Configuration............................................................................................................................ 7
2.1
IP Access Control Lists .................................................................................................... 7
2.2
Virtual IP Interfaces & Port Assignments......................................................................... 8
2.3
Network Address Translation ......................................................................................... 10
2.4
Policy Based Routing ..................................................................................................... 12
Verification ............................................................................................................................. 14
3.1
Basic Networking............................................................................................................ 14
3.2
Routing Policy ................................................................................................................ 15
3.3
Network Address Translation ......................................................................................... 16
Appendix ................................................................................................................................ 18
4.1
Running-Configuration ................................................................................................... 18
WiNG 5.X How-To – Cache Redirection
1. Introduction
WiNG 5.3 introduces Policy Based Routing (PBR) which allows a WiNG 5 device to make IPv4 forwarding
decisions based on user defined match criterion. Prior to PBR, all IPv4 forwarding decisions were made
using destination based routing.
The introduction of BPR allows WiNG 5 to address multiple challenges faced by administrators in remote
branch networks. Using policies network administrators can configure a WiNG 5 device to forward IPv4
outside the constraints enforced with destination based routing without having to deploy additional
hardware at a branch site. For example PBR can be employed to:
1) Distribute traffic over different WAN, MPLS or Internet paths.
2) Provide failover between multiple WAN, MPLS or Internet paths.
3) Load-balance traffic across multiple WAN, MPLS or Internet paths while providing failover.
4) Mark and forward select traffic for QoS purposes.
5) Forward select traffic to specific hosts for inspection or other services.
With PBR forwarding decisions can now be made a WiNG 5 device using a number of criterion including
source VLAN, source / destination IPv4 address, protocol type, traffic class, associated Wireless LAN or
the users assigned role. As an action PBR can be configured to mark the QoS value for the select traffic
or forward the select traffic to a specific host.
For availability PBR can also leverages Critical Resource Monitoring which allows routers and network
paths to be monitored for liveliness. If the next-hop router or network path is un-reachable, traffic can be
forwarded using another PBR policy or can be subjected to destination based routing.
Page 4
WiNG 5.X How-To – Cache Redirection
1.1 Overview
This guide focuses on utilizing PBR on a RFS4000 to forward select traffic to host that resides locally at a
branch site. In this example PBR will be configured to forward TCP port 80 (HTTP) traffic to a caching
server to optimize Internet bandwidth. Non HTTP traffic will bypass the caching server and will be
subjected to destination based routing.
The configuration in this guide consists of the following components:
1) One RFS4000 running WiNG 5.3.0.0-088R firmware that is directly connected to the users, cache
server and public Internet.
2) Policy Based Routing (PBR) will be enabled to forward user HTTP traffic to the cache server. Non
HTTP traffic will be ignored.
3) Network Address Translation (NAT) will be enabled allowing the cache server and users to
access the Internet. NAT will also be configured to ignore user HTTP traffic destined to the
caching server.
4) Critical Resource Monitoring will be employed to check the liveliness of the caching server. If the
caching server fails, user traffic is subjected to destination based routing.
Page 5
WiNG 5.X How-To – Cache Redirection
1.1.1
Operation
During normal operation Policy Based Routing (PBR) will forward HTTP traffic from the users directly to
the cache server. If the cache server has the content pre-cached, it responds to the users with the
content without accessing the public Internet. If the content is not pre-cached, the caching server
accesses the public Internet to cache the content and will respond to the user directly. Subsequent
requests to the cached content will be served directly by caching server without re-accessing the public
Internet.
Non-HTTP traffic such as DNS, FTP or HTTPS will be subject to normal destination based routing. NonHTTP traffic will be NATTed and forwarded to the RFS4000s default gateway. No non-HTTP traffic is
forwarded to the caching server in this example.
If the caching server fails and is not reachable from the RFS4000, traffic will be subjected to destination
based routing. HTTP and non-HTTP traffic will both be forwarded to the RFS4000s default gateway.
Once the caching server is on-line, HTTP traffic will be forwarded to the caching server.
Page 6
WiNG 5.X How-To – Cache Redirection
2. Configuration
2.1 IP Access Control Lists
For this configuration step three IP Access Control Lists (ACLs) are required:
2.1.1
Network Address Translation (NAT)
The first IP ACL that is required is for network address translation (NAT). NAT is required so that hosts
connected to the RFS4000 can access the public Internet. The NAT ACL contains three rules:
1) Rule 1 – Denies TCP port 80 (HTTP) traffic from the user subnet (192.168.20.0/24) destined to
the cache server (192.168.26.10). This rule is required so that HTTP traffic from users redirected
to the cache server is not NATTed.
2) Rule 2 – Permits IP traffic from the user subnet (192.168.20.0/24) destined to the public internet
(any). This rule is required so that user’s traffic destined to the public Internet is NATTed to the
public interface on the RFS4000.
3) Rule 3 – Permits IP traffic from the cache server (192.168.26.10/24) destined to the public
internet (any). This rule is required so that cache server traffic destined to the public Internet is
NATTed to the public interface on the RFS4000.
During normal operation users HTTP traffic will be captured and re-directed to the cache server using
policy based routing. The cache server will either serve the content from is cache and respond to the
request or it will access the Internet to pull the content. Non HTTP traffic will be NATTed directly and
forwarded to the public Internet bypassing policy based routing. If the cache server becomes unreachable, all user traffic is NATTed to the public interface directly.
NAT ACL:
!
ip access-list NAT
deny tcp 192.168.20.0/24 host 192.168.26.10 eq www rule -precedence 10
permit ip 192.168.20.0/24 any rule-precedence 20
permit ip host 192.168.26.10 any rule-precedence 30
!
2.1.2
Cache Redirection
The second IP ACL that is required is for policy based routing (PBR). The CACHE ACL contains one rule:
1) Rule 1 – Permits TCP port 80 (HTTP) traffic from the user subnet (192.168.20.0/24) destined to
the public Internet. This rule is required so that PBR can re-direct HTTP traffic to the cache
server.
Cache Redirection ACL:
!
ip access-list CACHE
permit tcp 192.168.20.0/24 any eq www rule-precedence 20
!
Page 7
WiNG 5.X How-To – Cache Redirection
2.1.3
Inbound Internet
The third IP ACL that is required is for inbound traffic received on the public IP interface on the RFS4000.
The INTERNET-INBOUND ACL contains one rule:
1) Rule 1 – Denies all IP traffic and logs matches. This rule is required so that inbound traffic
received on the public IP interface on the RFS4000 is denied. If this rule was absent, hosts on the
public Internet would be able to directly communicate with the RFS4000.
Inbound Internet ACL:
!
ip access-list INTERNET-INBOUND
deny ip any any log rule-precedence 100
!
2.2 Virtual IP Interfaces & Port Assignments
For this configuration step three virtual IP interfaces are required. In this example the virtual IP interfaces
and VLAN port assignments will be assigned directly to the RFS4000s device configuration as overrides:
2.2.1
VLAN 20 (Users)
The first virtual IP interface that is required is for VLAN 20 which is used for users and device
management. All wired and wireless users will be assigned to VLAN 20. In this example the IP address
192.168.20.1/24 is assigned to VLAN 20 which will be the default gateway for users at the site.
User Virtual IP Interface:
!
interface vlan20
description USERS
ip address 192.168.20.1/24
!
2.2.2
VLAN 26 (Cache Server)
The second virtual IP interface that is required is for VLAN 26 which is used by the cache server. In this
example the IP address 192.168.26.1/24 is assigned to VLAN 26 which will be the default gateway for the
cache server at the site.
Cache Virtual IP Interface:
!
interface vlan26
description CACHE
ip address 192.168.26.1/24
!
Page 8
WiNG 5.X How-To – Cache Redirection
2.2.3
VLAN 4094 (Internet)
The third virtual IP interface that is required is for VLAN 4094 which is the public interface on the
RFS4000. In this example IP addressing will be provided by DHCP from the service provider. Additionally
the IP ACL named INTERNET-INBOUND is assigned to the virtual IP interface to deny and log any
inbound traffic received by the public interface:
Internet Virtual IP Interface:
!
interface vlan4094
description INTERNET
ip address dhcp
ip dhcp client request options all
use ip-access-list in INTERNET-INBOUND
!
2.2.4
VLAN Port Membership
In this configuration example the public internet connection, cache server and users are di rectly
connected to the RFS4000 so VLAN port assignments need to be defined:
1) Users – Are connected to Gigabit Ethernet ports 1 – 3. Ports Ge1 – Ge3 are defined as access
ports with the native VLAN id set to 20.
2) Cache Server – Is connected to Gigabit Ethernet port 4. Ge3 is defined as an access port with the
native VLAN id set to 26.
3) Internet – Is connected to Gigabit Ethernet port 5. Ge5 is defined as an access port with the
native VLAN id set to 4094.
Switchport Assignments:
!
rfs4000 00-23-68-22-9D-E4
use profile default-rfs4000
use rf-domain default
hostname rfs4000-1
license AP DEFAULT-6AP-LICENSE
interface ge1
switchport mode access
switchport access vlan 20
interface ge2
switchport mode access
switchport access vlan 20
interface ge3
switchport mode access
switchport access vlan 20
interface ge4
switchport mode access
Page 9
WiNG 5.X How-To – Cache Redirection
switchport access vlan 26
interface ge5
description INTERNET
switchport mode access
switchport access vlan 4094
!
! Configuration Removed for Brevity
!
!
2.3 Network Address Translation
For this configuration step each virtual IP interface will be enabled for NAT and a NAT rule will be defined.
In this example the NAT interfaces and rule will be assigned directly to the RFS4000s device
configuration as overrides:
2.3.1
NAT Interfaces
For NAT to function each virtual IP interface needs to be designated as a NAT inside or outside interface.
If no designation is made, NAT will not function:
1) VLAN 20 – Will be designated as a NAT inside interface.
2) VLAN 26 – Will be designated as a NAT inside interface.
3) VLAN 4094 – Will be designated as a NAT outside interface.
NAT Interfaces:
!
interface vlan20
description USERS
ip address 192.168.20.1/24
ip nat inside
!
interface vlan26
description CACHE
ip address 192.168.26.1/24
ip nat inside
!
interface vlan4094
description INTERNET
ip address dhcp
ip dhcp client request options all
use ip-access-list in INTERNET-INBOUND
ip nat outside
!
Page 10
WiNG 5.X How-To – Cache Redirection
2.3.2
Dynamic NAT Rule
Once each virtual IP interface has been enabled for NAT, a dynamic NAT rule needs to be defined that
tells the RFS4000 which traffic is subjected to NAT and where to translate the traffic to. In this example
the IP ACL named NAT is used to determine which traffic is subjected to NAT and all the internal traffic
will be translated to single IP address on the public virtual IP interface VLAN 4094.
NAT Rule Assignment:
!
rfs4000 00-23-68-22-9D-E4
use profile default-rfs4000
use rf-domain default
hostname rfs4000-1
!
! Configuration Removed for Brevity
!
ip nat inside source list NAT interface vlan4094 overload
!
Page 11
WiNG 5.X How-To – Cache Redirection
2.4 Policy Based Routing
For this configuration step a routing policy and map will be defined to forward TCP port 80 (HTTP) traffic
to the cache server. In this example the routing policy will be assigned directly to the RFS4000s device
configuration as an override:
2.4.1
Routing Policy and Map
A routing policy and route-map need to be defined to re-direct TCP port 80 (HTTP) traffic to the cache
server. The routing policy forwards IPv4 traffic based on match conditions defined in the route-map. In
this example a routing policy named PBR will be created with a single route-map. The route-map will
match HTTP traffic received by the user’s subnet (192.168.20.0/24) and will forward the HTTP traffic to
the cache server host (192.168.26.10). The IP ACL named CACHE determines which traffic the routemap will select.
Traffic that is not matched by the routing policy is subjected to normal destination based routing and will
be forwarded out the RFS4000s default gateway. HTTP traffic received from the cache server will also be
forwarded using destination based routing. Only HTTP traffic forwarded from the users on the
192.168.20.0/24 network will be matched by the routing policy.
By default the routing policy will use Critical Resource Monitoring (CRM) to monitor the health of the
cache server. CRM monitors the health of the Cache server by sending ICMP packets and monitoring the
ARP cache. If the cache server becomes un-reachable, HTTP traffic is subjected to destination based
and is forwarded out the RFS4000s default gateway.

Note – Critical Resource Monitoring (CRM) can only detect if the Cache server responds to ARP and ICMP
and cannot validate if the caching service is operational. If the caching service fails but the caching server is
reachable, the route-map will continue to forward traffic to the cache server.
Routing Policy:
!
routing-policy PBR
route-map 1
match ip-access-list CACHE
match incoming-interface vlan20
next-hop 192.168.26.10
!
Page 12
WiNG 5.X How-To – Cache Redirection
2.4.2
Routing Policy Assignment
Once the routing policy and route-map has been defined, it needs to be assigned to the RFS4000. In this
example the routing policy named BPR is assigned directly to the RFS4000s device configuration as a
device override:
Routing Policy Assignment:
!
rfs4000 00-23-68-22-9D-E4
use profile default-rfs4000
use rf-domain default
hostname rfs4000-1
!
! Configuration Removed for Brevity
!
ip nat inside source list NAT interface vlan4094 overload
use routing-policy PBR
!
Page 13
WiNG 5.X How-To – Cache Redirection
3. Verification
3.1 Basic Networking
Issue the show ip interface brief command to verify the virtual IP interfaces have been defined correctly
and the STATUS and PROTOCOL is up. In this example virtual IP interfaces for VLANs 20, 26 and 4094
have been defined and each and up and operational:
rfs4000-1# show ip interface brief
------------------------------------------------------------------------------INTERFACE
IP-ADDRESS/MASK
TYPE
STATUS
PROTOCOL
------------------------------------------------------------------------------vlan1
unassigned
n/a
UP
up
vlan20
192.168.20.1/24
primary
UP
up
vlan4094
10.1.1.100/24(DHCP)
primary
UP
up
vlan26
192.168.26.1/24
primary
UP
up
-------------------------------------------------------------------------------
Issue the show ip route command to verify the default gateway has been defined. In this example the
default gateway 10.1.1.1 has been learned from the ISP using DHCP:
rfs4000-1# show ip route
-------------------------------------------------------------------------------DESTINATION
GATEWAY
FLAGS
INTERFACE
-------------------------------------------------------------------- -----------10.1.1.0/24
direct
C
vlan4094
192.168.26.0/24
direct
C
vlan26
192.168.20.0/24
direct
C
vlan20
default
10.1.1.1
CG
vlan4094
-------------------------------------------------------------------------------Flags:
C - Connected G - Gateway
Page 14
WiNG 5.X How-To – Cache Redirection
Issue the show interface switchport command to verify the VLANs are assigned to the correct ports. In
this example VLAN 20 (Users) is assigned to ports Ge1 – Ge3, VLAN 26 (Cache) is assigned to Ge4 and
VLAN 4094 (Internet) is assigned to Ge5:
rfs4000-1# show ip route
--------------------------------------------------------------------------------------INTERFACE
STATUS
MODE
VLAN(S)
-------------------------------------------------------------------------------- ------ge1
UP
access
20
ge2
DOWN
access
20
ge3
DOWN
access
20
ge4
UP
access
26
ge5
UP
access
4094
up1
DOWN
access
1
--------------------------------------------------------------------------------------A '*' next to the VLAN ID indicates the native vlan for that trunk port
3.2 Routing Policy
Issue the show route-maps command to display the state of the routing policy and determine if any
traffic is being forwarded to the cache server. In this example the cache server is UP and reachable and
the HITCOUNT counter is incrementing each time a new HTTP session is initiated indicating HTTP traffic
is being forwarded to the cache server:
rfs4000-1# show route-maps
------------------------------------------------------------------------------Route Map 1
primary next-hop: 192.168.26.10, status UP (Gateway monitoring)
Rules:
Incoming interface: vlan20
permit tcp 192.168.20.0/24 any eq www
HITCOUNT 654
If the cache server becomes un-reachable, the status of the cache server will change to UNREACHABLE
and the traffic will be subjected to normal destination based routing. The HITCOUNT counter will not
increment if the cache server is not reachable:
rfs4000-1# show route-maps
------------------------------------------------------------------------------Route Map 1
primary next-hop: 192.168.26.10, status UNREACHABLE (Gateway monitoring)
Rules:
Incoming interface: vlan20
permit tcp 192.168.20.0/24 any eq www
HITCOUNT 654
Page 15
WiNG 5.X How-To – Cache Redirection
3.3 Network Address Translation
Issue the show ip nat translations verbose command to view the NAT translation table. During normal
operation HTTP traffic will be forwarded to the cache server:
1) If the requested web content is not already cached by the cache server, it will contact the web
server and pull the content. The cache server then responds with the content to the user.
2) If the content is cached, the cache server responds with the content to the user without accessing
the Internet.
Each time the cache server contacts an external web server a NAT translation entry will be created.
Users accessing non HTTP sites will be forwarded and NATTed directly bypassing the cache server.
The following NAT translation table shows various entries for HTTP and non HTTP traffic. Traffic from the
host IP address 192.168.26.10 represents HTTP or DNS traffic originated from the caching server while
traffic from hosts on the user’s network 192.168.20.0/24 represents non HTTP and DNS traffic that is
bypassing the cache server:
rfs4000-1# show ip nat translations verbose
PROTO ACTUAL SOURCE
ACTUAL DESTINATION
NATTED SOURCE
NATTED DESTINATION
--------------------------------------------------------------------------------------TCP
192.168.26.10:60174
204.245.162.17:80
10.1.1.100:56602
204.245.162.17:80
TCP
192.168.26.10:60164
204.245.162.17:80
10.1.1.100:51332
204.245.162.17:80
UDP
192.168.26.10:46225
208.67.222.222:53
10.1.1.100:42270
208.67.222.222:53
TCP
192.168.26.10:60162
204.245.162.17:80
10.1.1.100:59045
204.245.162.17:80
TCP
192.168.26.10:37299
192.150.16.64:80
10.1.1.100:45744
192.150.16.64:80
TCP
192.168.20.254:1515
98.139.240.23:443
10.1.1.100:55203
98.139.240.23:443
TCP
192.168.26.10:60166
204.245.162.17:80
10.1.1.100:50858
204.245.162.17:80
TCP
192.168.26.10:42352
66.235.147.77:80
10.1.1.100:36863
66.235.147.77:80
TCP
192.168.26.10:60165
204.245.162.17:80
10.1.1.100:58649
204.245.162.17:80
TCP
192.168.26.10:60161
204.245.162.17:80
10.1.1.100:34627
204.245.162.17:80
TCP
192.168.26.10:60158
204.245.162.17:80
10.1.1.100:54530
204.245.162.17:80
TCP
192.168.26.10:60159
204.245.162.17:80
10.1.1.100:58627
204.245.162.17:80
TCP
192.168.26.10:60171
204.245.162.17:80
10.1.1.100:50525
204.245.162.17:80
TCP
192.168.26.10:60167
204.245.162.17:80
10.1.1.100:65411
204.245.162.17:80
TCP
192.168.26.10:60163
204.245.162.17:80
10.1.1.100:35877
204.245.162.17:80
TCP
192.168.26.10:60169
204.245.162.17:80
10.1.1.100:65048
204.245.162.17:80
TCP
192.168.26.10:36470
193.104.215.66:80
10.1.1.100:41675
193.104.215.66:80
TCP
192.168.26.10:60173
204.245.162.17:80
10.1.1.100:37718
204.245.162.17:80
TCP
192.168.20.254:1513
23.1.203.120:443
10.1.1.100:33671
23.1.203.120:443
TCP
192.168.26.10:60168
204.245.162.17:80
10.1.1.100:64675
204.245.162.17:80
TCP
192.168.26.10:60170
204.245.162.17:80
10.1.1.100:39853
204.245.162.17:80
TCP
192.168.26.10:60160
204.245.162.17:80
10.1.1.100:39917
204.245.162.17:80
Page 16
WiNG 5.X How-To – Cache Redirection
If the cache server becomes un-reachable, the users traffic is subjected to normal destination based
routing. The following NAT translation table shows various entries for HTTP and non HTTP traffic
originating from the user network 192.168.20.0/24 which is NATTed directly by the RFS4000:
rfs4000-1# show ip nat translations verbose
PROTO ACTUAL SOURCE
ACTUAL DESTINATION
NATTED SOURCE
NATTED DESTINATION
--------------------------------------------------------------------------------------TCP
192.168.20.254:1536
192.150.16.58:80
10.1.1.100:46728
192.150.16.58:80
UDP
192.168.20.254:1031
208.67.222.222:53
10.1.1.100:45364
208.67.222.222:53
TCP
192.168.20.254:1538
204.245.162.17:80
10.1.1.100:61602
204.245.162.17:80
TCP
192.168.20.254:1534
192.150.16.64:80
10.1.1.100:40813
192.150.16.64:80
TCP
192.168.20.254:1545
98.139.241.94:443
10.1.1.100:47124
98.139.241.94:443
TCP
192.168.20.254:1547
65.55.13.243:80
10.1.1.100:57065
65.55.13.243:80
TCP
192.168.20.254:1532
204.245.162.17:80
10.1.1.100:49814
204.245.162.17:80
TCP
192.168.20.254:1541
23.1.203.120:443
10.1.1.100:35459
23.1.203.120:443
TCP
192.168.20.254:1533
204.245.162.17:80
10.1.1.100:58861
204.245.162.17:80
TCP
192.168.20.254:1537
204.245.162.17:80
10.1.1.100:42072
204.245.162.17:80
TCP
192.168.20.254:1542
66.235.147.77:80
10.1.1.100:44107
66.235.147.7 7:80
TCP
192.168.20.254:1535
192.150.16.58:80
10.1.1.100:33153
192.150.16.58:80
Page 17
WiNG 5.X How-To – Cache Redirection
4. Appendix
4.1 Running-Configuration
Routing Policy Assignment:
!
! Configuration of RFS4000 version 5.3.0.0-088R
!
!
version 2.1
!
!
ip access-list CACHE
permit tcp 192.168.20.0/24 any eq www rule-precedence 20
!
ip access-list INTERNET-INBOUND
deny ip any any log rule-precedence 100
!
ip access-list NAT
deny tcp 192.168.20.0/24 host 192.168.26.10 eq www rule -precedence 10
permit ip 192.168.20.0/24 any rule-precedence 50
permit ip host 192.168.26.10 any rule-precedence 60
!
firewall-policy default
!
!
mint-policy global-default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
ap300 default-ap300
interface radio1
interface radio2
!
dhcp-server-policy default
dhcp-pool vlan20
network 192.168.20.0/24
address range 192.168.20.100 192.168.20.254
domain-name tmelabs.local
default-router 192.168.20.1
Page 18
WiNG 5.X How-To – Cache Redirection
dns-server 208.67.222.222 208.67.220.220
!
!
management-policy default
no http server
https server
ssh
user admin password 0 motorola role superuser access all
user operator password 0 operator role monitor access all
no snmp-server manager v2
snmp-server community public ro
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmptrap v3 encrypted des auth md5 0 motorola
snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola
!
routing-policy PBR
route-map 1
match ip-access-list CACHE
match incoming-interface vlan20
next-hop 192.168.26.10
!
l2tpv3 policy default
!
profile rfs4000 default-rfs4000
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
interface radio1
interface radio2
interface up1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
Page 19
WiNG 5.X How-To – Cache Redirection
qos trust dscp
qos trust 802.1p
interface ge3
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge4
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge5
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface wwan1
interface pppoe1
use firewall-policy default
logging on
service pm sys-restart
router ospf
!
rf-domain default
no country-code
!
rfs4000 00-23-68-22-9D-E4
use profile default-rfs4000
use rf-domain default
hostname rfs4000-1
license AP DEFAULT-6AP-LICENSE
interface ge1
switchport mode access
switchport access vlan 20
interface ge2
switchport mode access
switchport access vlan 20
interface ge3
switchport mode access
switchport access vlan 20
interface ge4
switchport mode access
switchport access vlan 26
interface ge5
description INTERNET
switchport mode access
switchport access vlan 4094
interface vlan20
Page 20
WiNG 5.X How-To – Cache Redirection
description USERS
ip address 192.168.20.1/24
ip nat inside
interface vlan26
description CACHE
ip address 192.168.26.1/24
ip nat inside
interface vlan4094
description INTERNET
ip address dhcp
ip dhcp client request options all
use ip-access-list in INTERNET-INBOUND
ip nat outside
use dhcp-server-policy default
logging on
logging console warnings
logging buffered warnings
ip nat inside source list NAT interface vlan4094 overload
use routing-policy PBR
!
!
end
Page 21
WiNG 5.X How-To – Cache Redirection
Page 22