Endpoint Independent Filtering (EIF) : Versa Support

Endpoint Independent Filtering (EIF) is used to filter inbound / incoming traffic from WAN / Internet towards a known public IP and port tuple. Since EIF is not dependent on any endpoint, Versa FlexVNF will allow traffic from all hosts towards published IP and port. A variant of this technique called Endpoint Dependent Filterning (EDF) allows traffic from only configured endpoints on the Internet

Configuration

admin@Site2Branch1-cli(config)% show orgs org-services ServiceProvider cgnat 
pools {
    Failover-Pool-ISPA-Network {
        routing-instance   ISPA-Network-Transport-VR;
        egress-network     [ ISPA-Network ];
        address-allocation round-robin;
        source-port {
            allocation-scheme range-based;
            random-allocation;
            range {
                low  1024;
                high 32000;
            }
        }
    }
}
rules {
    From_Redundant_To_ISPA-Network_Traffic {
        precedence 1;
        from {
            source-zone      [ Intf-ISPA-Network-Failover-Zone ];
            destination-zone [ Intf-ISPA-Network-Zone ];
            routing-instance ISPA-Network-Transport-VR;
            source-address   [ 172.16.255.2/32 ];
        }
        then {
            translated {
                translation-type napt-44;
                source-pool      Failover-Pool-ISPA-Network;
                filtering-type     endpoint-independent;
            }
        }
    }
}

Verification

Use the following operational command to view active Endpoint Independent Filters on Versa FlexVNF. Reference count in the following CLI indicates the number of sessions allowed from outside and using this EI filter.

admin@Site2Branch1-cli> show orgs org-services ServiceProvider cgnat ei-filters | notab 
cgnat ei-filters 70.70.10.2 12138
 private-ip      172.16.255.2
 private-port    4790
 pool-name       Failover-Pool-ISPA-Network
 reference-count 6
 vsn-id          0

Use Case

1. EIF is useful for P2P Bittorrent like applications. In case of Bittorrent, a user first connects to tracker. The tracker registers the public IP and port and notifies all other peers about it. Other peers then initiate connections towards the advertised public IP and port. If EIF is not enabled, Firewall will drop the inbound connections

2. EIF along with Endpoint Independent Mapping (EIM), keeps NAT pinholes active and allows traffic from either direction.

Refer to RFC 4787 (Section 5) to learn more about EIF