Subnets Tab
Click here to see this page in full context

Spirent Avalanche 5.46 February 29, 2024

Subnets Tab

Use the Subnets tab to configure subnet profiles. The tab contains a table that you maintain by adding and removing rows, whereby each row defines a different subnet profile. Below the table are several sub-tabs that you can use to define static routing, IP fragmentation, realism, PPP/PPPoE, DHCP, GTP, DS-Lite, PilotPkt, IPv6OverIPv4, IPSec, SSL VPN, VLAN, and VxLAN for one or more selected profiles. For information about flat subnets, see Generating Flat Subnets.

NOTES:

  • If you are not licensed for IPSec, this tab will be hidden, as well as the columns in the Subnets table that are specific to IPSec.
  • When using IPSec on the server side (IPv4 or IPv6), only FQDN and IP address types are supported for ISAKMP ID Type.
  • In an overlapping subnet, the data may not be distributed uniformly across all hosts. Each host’s data rate is dependent on the way in which the load generator distributes the load across the various associations while generating traffic.
  • See the Client Subnet Validation Rules and Server Subnet Validation Rules tables for the subnets/association rules with respect to disabled/enabled per-host statistics, IP ranges, and flat subnets.

IMPORTANT: You can specify some of the fields that appear in the Subnets tab by selecting Subnet Profiles preferences in the Preferences Tool. You can also use the VLAN, MAC, and IPSec checkboxes that appear on the tab to cause the associated fields to appear. Your selections update the settings in both locations.

The Subnets tab contains information about the following:

TIP: When editing the Subnets table, double-click a field to edit an individual entry, or take advantage of right-click commands to add, delete, and copy rows in the table. Additionally, you can select a range of rows and then right-click a column and use the Fill Increment or Fill Decrement commands to automatically enter values for various fields. See Subnets Tab Right-Click Short-Cuts for more information.

Field Description
Table:
Show Subnet Profiles using Select either IPv4 or IPv6 based on the IP version of your subnets. The Subnets table columns will vary depending on your selection. (The Field column in this documentation indicates "IPv4 only" or "IPv6 only" where appropriate.) Refer to the following RFCs for more information on IPv6:
  • RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification
  • RFC 3513 - Internet Protocol Version 6 (IPv6) Addressing Architecture

NOTE: Every IPv6 host that Avalanche simulates has a link local address that is system generated. The GUI only supports setting global IPv6 addresses.
VLAN Select to display the VLAN subtab and configuration fields. You can also choose to display these fields by using the Subnet Profiles preferences.
MAC

Select to display MAC configuration fields. You can also choose to display these fields by using the Subnet Profiles preferences.
IPSec Select to display the IPSec subtab and configuration fields. You can also choose to display these fields by using the Subnet Profiles preferences.
Buttons

Use the Global Settings button to launch the IPSec Global Rekey Settings window, in which you can specify global settings to initiate IPSec re-key connections across all tunnels simultaneously.

Use the Policy Generator button (Client Subnet only) to launch the IPSec Policy Generator Wizard, which simplifies the task of creating a large number of subnets with varying IPSec policy settings.

Use the following buttons to select a specific row in a range of rows selected in the table. The selected row is the one to which tab settings, such as Static Routing are applied.
  • Previous Select the previous row.
  • Next Select the next row.
  • Apply Apply all. Applies tab settings to all of the rows selected in a range of rows.
  • Add Subnet Add a row to the end of the table.
  • Delete Subnet Remove the selected row.
RowID Incremental row number. (This field is read-only.)
Subnet Name The name uniquely identifies the subnet configuration. To add a new profile, right-click the blank row, and select Add Row, or click the Add Subnet button. A row with default entries appears.

NOTE: Subnet profile names must be unique across IPv4 and IPv6 subnets. If you attempt to rename any profile to a name that already exists, a duplicate name error appears.

TIP: To create a new profile based on an existing one, right-click the row that you want to copy, and then select Copy Row(s). A new row is added to the end of the table. For more information, see Subnets Tab Right-Click Short-Cuts.
IPv4 Fields:
IP Address (Range) (IPv4 only) (Client Subnet only) Enter an IPv4 address or a range of IPv4 addresses from which you want to generate traffic for your test ports. Use CIDR notation. To change a range of rows, select the rows, right-click and use the commands that appear.

NOTE: Avalanche uses only the address or addresses that you specify to emulate clients. However, all addresses in the subnet are assigned to the parent interface for packet routing purposes. Therefore, do not assign the same addresses to more than one subnet unless you plan to generate a flat subnet.

Example

The ranges 192.168.1.1-192.168.1.10 and 192.168.1.11-192.168.1.20 do not overlap, but subnets 192.168.1.1-192.168.1.10/24 and 192.168.1.11-192.168.1.20/24 actually belong to the same subnet because of the netmask bits, and are therefore bound to the same interface.

If you generate a flat subnet, the second range is acceptable.
Netmask (IPv4 only) Enter the number of bits in the network part of the address. For example, /24 represents 255.255.255.0, while /16 represents 255.255.0.0. You do not need to enter the slash (/).
Network (IPv4 only) Enter the network address of your subnet, using CIDR notation. To change a range of rows, select the rows, right-click and use the commands that appear.
Default Gateway (IPv4 or IPv6)

Select to enable the Default Gateway option. By default, the first address of the IP range associated with the subnet appears in the Gateway Address field after you select this option. (See the next field.) Selecting Default Gateway also enables the Enable Static Routing Checkbox in the Static Routing tab.

NOTE: When using IPSec, if the IPSec client or the IPSec local gateway is in the same subnet as the IPSec remote gateway, then you should not enable the Default Gateway option.
Gateway Address (IPv4 or IPv6) The IP address of the default gateway for the selected subnet. This address is based on the IP address range of the subnet. The address also appears as an read-only entry in the Static Routing table. To specify additional static routes for the subnet, use the Static Routing fields.
MAC Byte 1 Byte 2 (IPv4 only)

Select the MAC option to enable MAC masquerading. Enter HEX values in the Byte 1 and Byte 2 fields, to use a separate MAC address for each emulated client or server. The first two bytes are as configured. The remaining four bytes are equivalent to the IP address of the client or server.

NOTES:

  • Deselect this option if you want to use the manufactured MAC address of the NIC. Each interface uses the internal hardware MAC address for all IP addresses used on that interface.
  • The client's or server's MAC address is only visible on the network if the interface on which this subnet is configured does not have an on-board virtual router configured.
  • The MAC address specified must not be a multicast address. That is, the first byte must be an even number.
  • If you enable PPP/PPPoE, then the MAC option is automatically enabled. Disable it on the Server Subnets tab if you are using the PPP/PPPoE option.
Randomize IP (IPv4 only) (Client Subnet only) Select if you want Avalanche to randomly select an IP address from the IP address range. If you do not select this option, Avalanche selects the IP address sequentially.
IPv6 Fields: (Use the Show Subnet Profiles using field to define an IPv6 subnet.)
Static Addressing (IPv6 only) Select to specify an IPv6 address (or range). This enables the IPv6 Address (Range) field below.

NOTE: If you do not use static addressing, then you must use the MAC address fields to configure the IPv6 address.
IPv6 Address (Range) (IPv6 only) Enter an IPv6 address or a range of IPv6 addresses from which you want to generate traffic for your test ports. Use colon hexadecimal notation.
 

Example

3FFE::0200:FF:FE00:1-3FFE::0200:FF:FE00:FF
Assign Prefix (IPv6 only)

An IPv6 prefix indicates the fixed part of the address. (As in IPv4 CIDR notation, this defines the network portion of the address.)

Select to specify an IPv6 address range using an IPv6 prefix address and prefix length. This enables the Prefix Address and Prefix Length fields.

NOTE: The Prefix Address and Prefix Length fields apply to the MAC address fields for configuring the IPv6 address.
Prefix Address (IPv6 only)

Enter an IPv6 prefix address using colon hexadecimal notation.

Example

Prefix Address = 3FFE::0

Interface ID = 200:FF:FE00:101-200:FF:FE00:1FF

Prefix Length = 64 bits

The first address in the range would be 3FFE::200:FF:FE00:101.
Prefix Length (IPv6 only) Enter an IPv6 prefix length in bits, from 0 to 128. (See the example for the Prefix Address field.)
MAC Start Address (IPv6 only)

NOTE: To use the MAC address fields to configure the IPv6 address, the Static Addressing checkbox must be unchecked.
The starting MAC address in the range used for generating IPv6 host addresses. To change a range of rows, select the rows, right-click and use the commands that appear.

NOTE: Avalanche supports link-local addressing without the need for an IPv6 router, using the FE80:: standard prefix, and the suffix determined by the MAC address (EUI-64).
# Host (IPv6 only) The number of IPv6 hosts.
MAC End Address (IPv6 only) The ending MAC address in the range used for generating IPv6 host addresses.
MLD Version (Client IPv6 only) The version of Multicast Listener Discovery (MLD) that controls multicast channels for IPv6. This version will be used in Video On Demand (VoD) Multicast tests. The available versions are 1 and 2.

NOTE: When using IPv6 in a multicast test, you must use link-local IPv6 source addresses for client subnets. See RFC 3810, Multicast Listener Discovery Version 2 (MLDv2) for IPv6, for more information.
Disable DAD (IPv6 only) Select to omit the Duplicate Address Detection (DAD) function for IPv6 when a host attempts to claim an IPv6 address. This will avoid delays that occur with the DAD protocol, which specifies that the host send two inquiries before the host can claim the address for itself.
VLAN Fields:

VLAN

Inner VLAN ID

Select the VLAN option and enter a VLAN ID to include a VLAN tag with the specified ID in every packet transmitted from this subnet.

If you use VLAN stacking via the VLAN subtab, this field is the inner VLAN ID, and the field displays "(QinQ)" next to the value.

NOTES:

  • When you enable the VLAN option, at least one VLAN ID must be specified.
  • The valid range for a VLAN ID is 0 – 4094, and the default is 1.

IMPORTANT: In the current Avalanche release, when using IPv6, the NDP (Neighbor Discovery Protocol) will validate the VLAN ID of the incoming NS (Neighbor Solicitation) message against that of the target host. If the VLAN IDs do not match, no NA (Neighbor Advertisement) message will be sent. This behavior is different from that of ARP (Address Resolution Protocol) in IPv4.
SSL VPN Fields:
Enable SSL VPN

Select to enable SSL VPN for this subnet. You enter additional SSL VPN parameters in the SSL VPN tab.

NOTES:

  • Selecting this feature disables any other features that use tunnels. For example, you cannot enable SSL VPN and Enable IPSec at the same time.
  • The Avalanche SSL VPN server does not use the user name, password, and group name/Unique ID parameters configured on the client side. (All users are allowed.)
  • You can configure multiple application servers for the same SSL VPN tunnel when they use the same subnet.
 VxLAN Fields:
 Enable VxLAN

A Virtual eXtensible Local Area Network (VXLAN) provides an encapsulation scheme, whereby a Layer 2 network overlays a Layer 3 network. This encapsulation means a VXLAN is also considered a tunneling scheme.

Select to enable VXLAN for this subnet. You enter additional VXLAN parameters in the VxLAN tab.

NOTES:

  • For more information, see RFC 7348, Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks.
  • Selecting this feature disables any other features that use tunnels. For example, you cannot enable VxLAN and Enable IPSec at the same time.
  • VxLAN is not currently supported for an IPv6 subnet.
  • You must enable MAC masquerading when using this feature. This applies to the overlay MAC address. The underlay MAC address will always be the physical MAC address of the NIC.
  • CyberFlood Virtual (CFv) Cloud and most CFv instances are not supported with this feature, as it requires MAC masquerading.
GTP Fields:
Enable GTP

GPRS Tunneling Protocol (GTP) is a group of IP-based communications protocols used to carry general packet radio service (GPRS). It allows end users of a GSM (Global System for Mobile Communications) or UMTS (Universal Mobile Telecommunications System) network to move from place to place, while continuing to connect to the Internet, as if from one location at the GGSN (gateway GPRS support node).

The Avalanche GTP implementation allows you to test your Layer 4-7 devices that are running in GPRS core networks, such as firewalls, intrusion detection and prevention systems (IDS/IPS), deep packet inspectors (DPI), and load balancers. The Avalanche client emulates SGSN (serving GPRS support node) Gn interface functionality, and the Avalanche server emulates GGSN Gn interface functionality.

Select to enable GTP for this subnet. You enter additional GTP parameters in the GTP tab.

NOTES:

  • Selecting this feature disables any other features that use tunnels. For example, you cannot enable GTP and Enable IPSec at the same time.
  • Selecting this feature disables the following fields in the client subnets table:

    • IP Address (Range)

    • Netmask

    • Network

    • Randomize IP

    • Enable DS-Lite

    • Enable IPSec

  • Selecting this feature disables the following fields in the server subnets table:

    • Gateway Address

    • Enable DS-Lite

    • Enable IPSec

  • One or multiple one-to-one SGSN to GGSN pairs are supported.
  • Inner and outer IP fragmentation/defragmentation are supported.
  • The following protocols are supported over GTP: HTTP, HTTPS, FTP, Telnet, SIPNG, POP3, RTSP, DNS, SAPEE, ThreatEx (excludes raw attack), MMS, IMAP4, CIFSNG, SMTP, Unicast Streaming.
  • IPv4 and IPv6 subnet profiles are supported.
  • The following are not supported by GTP in the current Avalanche release:
    • Mobility, tunnel handover, and GTP nodes authentication
    • GTP over PPPoE or IPSec
DS-Lite Fields:
Enable DS-Lite

Dual Stack Lite (DS-Lite) supports IPv4 over IPv6 network stacks. That is, it creates IPv4 clients over an IPv6 link. Avalanche simulates two gateways to send and receive DS-Lite packets, using a tunneling method.

Select to enable Dual Stack Lite (DS-Lite) for this subnet. You enter additional DS-Lite parameters in the DS-Lite tab.

NOTES:

  • Selecting this feature disables any other features that use tunnels. For example, you cannot enable DS-Lite and Enable IPSec at the same time.
  • When configuring tests with DS-Lite enabled, an IPv4 MSS value greater than 1420 may cause fragmentation, affecting performance. (The default is 1460.) You should set the IPv4 MSS in the Client Network, Server Network, or Server Profile tab accordingly.
  • An entire subnet range shares one IPv6 DS-Lite address, which is determined by the subnet number.
  • The following are not supported by DS-Lite in the current Avalanche release:
    • IPv6 extension headers for options (generally, not supported by Avalanche)
    • DS-Lite statistics
    • IPv6 fragments
    • DHCP and auto-configuration methods (IPv4 and IPv6 addresses must be statically defined)
IPv6OverIPv4 Fields:
Enable IPv6OverIPv4 (IPv6 only)

IPv6 rapid deployment (6rd) is a mechanism used by an Internet service provider (ISP) to rapidly deploy IPv6 unicast service to IPv4 sites to which it provides customer-premises equipment (CPE). It is derived from 6to4, a preexisting mechanism to transfer IPv6 packets over the IPv4 network.

NOTE: See RFCs 5569, 5969, and 3056, for more information on 6rd and 6to4.

The Avalanche IPv6OverIPv4 implementation creates a tunnel to encapsulate IPv6 packets. It supports both 6rd and 6to4 methods of calculating the IPv6 addresses. IPv6OverIPv4 supports most application layer protocols that Avalanche supports.

Select to enable IPv6OverIPv4 for this subnet. You enter additional IPv6OverIPv4 parameters in the IPv6OverIPv4 tab.

NOTES:

  • This feature applies only to IPv6 subnets.
  • Selecting this feature disables any other features that use tunnels. For example, you cannot enable IPv6OverIPv4 and Enable IPSec at the same time.
IPSec Fields:
Enable IPSec

Select to enable IPSec for this subnet. You enter additional Avalanche VPN parameters in the IPSec tab.

NOTE: When using flat subnetting with IPSec, be sure to configure the DUT accordingly. If you want to configure tunnel end hosts on the same subnet over different interfaces, do the following:

  • Enable flat subnetting in the Associations tab
  • Split the original subnet into two or more interfaces
  • Use non-overlapping IP addresses

The Local Gateway IP address will be the same for all interfaces across which the subnet was split. When you run the test for a Site-to-Site scenario, a new IPSec local gateway will be created for each interface in that subnet, resulting in one tunnel per interface. For Remote Access, one tunnel will be created per host, as usual.
Remote Access Select to specify a Remote Access scenario. Deselect to specify a Site-to-Site scenario.
Vendor ID

Select to enable the Vendor ID options in the IPSec tab. The Vendor ID Payload contains a vendor-defined constant. Vendors use this constant to identify and recognize remote instances of their implementations. See the following RFCs for more information:

  • RFC 2408 - Internet Security Association and Key Management Protocol (ISAKMP)
  • RFC 4306 - Internet Key Exchange (IKEv2) Protocol

NOTE: Both IKEv1 and IKEv2 are supported.
Gateway Version

The IP version of the gateways. (Enabled only for the Site-to-Site tunnel.)

Select to display a drop-down menu with these options:

  • IPV4
  • IPV6

NOTE: For an IPv6 subnet, this field is set to IPV6, and cannot be changed.
Local Gateway The IP address of the local gateway. (Enabled only for the Site-to-Site tunnel.)

NOTE: Dotted notation format is used for IPv4 and colon notation for IPv6. For IPv6, you can enter a global address. Otherwise, if you leave this field empty (that is, "::"), no global address is used, but a link local address is derived from the MAC address below.
MAC Address The MAC address of the local gateway. (Enabled only for the Site-to-Site tunnel.)
Remote Gateway The IP address of the remote gateway.

NOTE: Dotted notation format is used for IPv4 and colon notation for IPv6.
IKE Version

The version of IKE to use to establish SAs.

Select to display a drop-down menu with these options:
ISAKMP ID Type

The type of ISAKMP (Internet Security Association and Key Management Protocol) identification payload that corresponds to the ISAKMP ID field.

NOTE: On the server side, only FQDN and IP address types are supported for the ISAKMP ID type.

Select to display a drop-down menu with these options:

  • IPv4 Address-A single four (4) octet IPv4 address.
  • FQDN-A fully-qualified domain name string, such as foo.bar.com.
  • User FQDN-A fully-qualified username string, such as piper@foo.bar.com.
  • IPv4 Address Subnet-A range of IPv4 addresses, represented by two four (4) octet values. The first value is an IPv4 address, and the second value is an IPv4 network mask. Ones (1s) in the network mask indicate that the corresponding bit in the address is fixed, while zeros (0s) indicate a wildcard bit.
  • IPv6 Address-A single sixteen (16) octet IPv6 address.
  • IPv6 Address Subnet-A range of IPv6 addresses, represented by two sixteen (16) octet values. The first value is an IPv6 address, and the second value is an IPv6 network mask. Ones (1s) in the network mask indicate that the corresponding bit in the address is fixed, while zeros (0s) indicate a wildcard bit.
  • IPv4 Address Range-A range of IPv4 addresses, represented by two four (4) octet values. The first value is the beginning IPv4 address (inclusive), and the second value is the ending IPv4 address (inclusive). All addresses falling between the two specified addresses are considered to be within the list.
  • IPv6 Address Range-A range of IPv6 addresses, represented by two sixteen (16) octet values. The first value is the beginning IPv6 address (inclusive), and the second value is the ending IPv6 address (inclusive). All addresses falling between the two specified addresses are considered to be within the list.
  • DER ASN1 DN-The binary DER encoding of an ASN.1 X.500 Distinguished Name [X.501] of the principal whose certificates are being exchanged to establish the SA.

    NOTE: When using DER ASN1 DN as the ISAKMP ID Type, you can either configure the ISAKMP ID in the subnet or leave it blank. If configured, it should follow the DER ASN1 DN syntax, as in the following example:

    C=US, OU=Public Safety, CN=su1

    Otherwise, if left blank, Avalanche will get the ISAKMP ID from digital certificates.
  • DER ASN1 GN-The binary DER encoding of an ASN.1 X.500 General Name [X.509] of the principal whose certificates are being exchanged to establish the SA.
  • KEY ID-An opaque byte stream for passing vendor-specific information necessary to identify which pre-shared key should be used to authenticate Aggressive mode negotiations.
ISAKMP ID A string representing the ISAKMP identification payload, used as an identifier.

NOTE: This string should be consistent with the ISAKMP ID Type selected.
D-H Group

The Diffie-Hellman group for Phase 1. The size of the group determines the level of security of the Diffie-Hellman key exchange. (The higher the group number, the greater the security.) The groups use traditional exponentiation over a prime modulus (MODP). These options are key exchanges only, and do not encrypt the data.

Select to display a drop-down menu with the following options for both IKEv1 and IKEv2:

  • Group 1 (MODP-768): 768-bit Modular Exponential (MODP) Group
  • Group 2 (MODP-1024): 1024-bit MODP Group
  • Group 5 (MODP-1536): 1536-bit MODP Group
  • Group 14 (MODP-2048): 2048-bit MODP Group
  • Group 15 (MODP-3072): 3072-bit MODP Group
  • Group 16 (MODP-4096): 4096-bit MODP Group
  • Group 19 (ECP-256): 256-bit Random Elliptic Curve Group modulo a Prime (ECP Group)
  • Group 20 (ECP-384): 384-bit Random ECP Group
  • Group 21 (ECP-521): 521-bit Random ECP Group
  • Group 24 (MODP-2048-256): 2048-bit MODP Group with 256-bit Prime Order Subgroup
Hash

The hash authentication method used for Phase 1 to verify that the packets being received were sent by the stated source.

Select to display a drop-down menu with the following options, depending on the IKE Version:

  • IKEv1
    • MD-5: A message-digest algorithm that derives a secure, irreversible, cryptographically strong hash value. This is considered less secure than SHA-1.
    • SHA-1: The Secure Hash Algorithm version one, part of the U.S. Digital Signature Standard (DSS). This algorithm is considered very secure.
    • SHA-256: The Secure Hash Algorithm version two that uses a 256-bit digest, part of the U.S. Digital Signature Standard (DSS). This algorithm is considered very secure.
    • SHA-384: The Secure Hash Algorithm version two that uses a 384-bit digest, part of the U.S. Digital Signature Standard (DSS). This algorithm is considered very secure.
    • SHA-512: The Secure Hash Algorithm version two that uses a 512-bit digest, part of the U.S. Digital Signature Standard (DSS). This algorithm is considered very secure.
  • IKEv2
    • MD-5: See description above.
    • SHA-1: See description above.
    • SHA-256: A Secure Hash Algorithm that uses AUTH_HMAC_SHA2_256_128 as the integrity algorithm, as well as PRF-HMAC-SHA-256 (Pseudo-Random Function).
    • SHA-384: A Secure Hash Algorithm that uses AUTH_HMAC_SHA2_384_192 as the integrity algorithm, as well as PRF-HMAC-SHA-384.
    • SHA-512: A Secure Hash Algorithm that uses AUTH_HMAC_SHA2_512_256 as the integrity algorithm, as well as PRF-HMAC-SHA-512.
    • AES-XCBC-MAC: An Advanced Encryption Standard (AES) Message Authentication Code (MAC) algorithm in Cipher-Block-Chaining mode with a set of extensions (XCBC) to overcome the security limitation presented by messages of varying lengths.
Encryption

The encryption method used for Phase 1 to transform the payload data in the packets from an intelligible form (plaintext) into an unintelligible form (ciphertext), and back.

Select to display a drop-down menu with these options, depending on the IKE Version:

  • IKEv1
    • DES-CBC: The Data Encryption Standard (DES), defined by the U.S. government, in Cipher-Block-Chaining (CBC) mode. DES is a symmetric 64-bit block cipher that uses a 56-bit key.
    • 3DES-CBC: A variant of DES, the most accepted method, in CBC mode. 3DES is a combined set of two DES keys totaling 112 bits. Due to its larger size, 3DES is considered much more secure that DES.
    • AES-CBC-128: AES (Advanced Encryption Standard) in CBC mode, with a 128-bit key.
    • AES-CBC-192: AES in CBC mode, with a 192-bit key.
    • AES-CBC-256: AES in CBC mode, with a 256-bit key.
  • IKEv2
    • DES-CBC: See description above.
    • 3DES-CBC: See description above.
    • AES-CBC-128: See description above.
    • AES-CBC-192: See description above.
    • AES-CBC-256: See description above.
    • AES-128-GCM-8: AES in Galois/Counter Mode (GCM), with a 128-bit key, and 8-octet Integrity Check Value (ICV) size.
    • AES-256-GCM-8: AES in GCM, with a 256-bit key, and 8-octet ICV size.
    • AES-128-GCM-12: AES in GCM, with a 128-bit key, and 12-octet ICV size.
    • AES-256-GCM-12: AES in GCM, with a 256-bit key, and 12-octet ICV size.
    • AES-128-GCM-16: AES in GCM, with a 128-bit key, and 16-octet ICV size.
    • AES-256-GCM-16: AES in GCM, with a 256-bit key, and 16-octet ICV size.
Authentication

The authentication method for Phase 1. (Enabled for both the Site-to-Site and Remote Access scenarios.)

Select to display a drop-down menu with these options:

  • Preshared Key
  • Digital Certificates

NOTE:  This field is not applicable, if XAuth is set to "Checkpoint Hybrid."
Preshared Key The key string to be used when doing Preshared Key authentication (above).
XAuth (IKEv1 only)

The type of XAuth (Extended Authentication) for Phase 1. (Enabled only for the Remote Access scenario.)

Select to display a drop-down menu with these options:

NOTES:

  • On the server side, the only options supported are Generic and No XAuth.
  • For IPv6, the only option supported is Generic (for both client and server).
  • For Checkpoint Hybrid, the default Re-key Threshold is 55 seconds. Otherwise, the default is 30 seconds.
  • Generic: Supported by most IPSec gateways.
  • RemoteVPN: Commonly used to test Cisco IPSec gateways.
  • Nortel Contivity: Used to test Nortel Contivity gateways.
  • Checkpoint Hybrid: Used to test Checkpoint VPN-1 gateways.
  • No XAuth: Used for Remote Access scenarios in which tunnel establishment does not require XAuth.
  • No XAuth with ModeConfig: Used for Remote Access scenarios in which tunnel establishment does not require XAuth, but requires a configuration transaction.

    NOTES:  
Forms DB

(Client Subnet only) Select to use a forms database instead of the following fields. (These fields are disabled when you select this checkbox.)

Preshared Key

ISAKMP ID Types

ISAKMP ID Values

Group Name

Group Password

User Name

Password

Digital Certificate Filenames

Private Key Filenames

CA Cert Filenames

 

First, create a forms database file, and then select the forms database name that you created in the File field in the IPSec tab. (Enabled only for the Remote Access scenario.)

NOTES:

  • If desired, you can enter the same values for multiple rows. If you want to leave any column empty, enter a comma (,).
  • For the ISAKMP ID Types, enter an integer based on the order specified under the ISAKMP ID Type field, starting from one. For example, enter "1" for IPv4 Address, "2" for FQDN, and so on.

Example1

You configure a test to use Remote Access with three IPs/hosts in the subnet range. You select Generic XAuth, and you want to use different Preshared Key values, different usernames and passwords, different ISAKMP ID values, but the same ISAKMP ID Type for each IP in the subnet. Enter the values in the forms database as follows:

Preshared Key

ISAKMP ID Types

ISAKMP ID Values

Group Name

Group Password

User Name

Password

Digital Certificate Filenames

Private Key Filenames

CA Cert Filenames

Psk1

2

Id1

,

,

user1

pass1

,

,

,

Psk2

2

Id2

,

,

user2

pass2

,

,

,

Psk3

2

Id3

,

,

user3

pass3

,

,

,

 

Example2

You configure a test to use Remote Access (with any type of XAuth) and four IPs/hosts in the subnet range. You want to use unique digital certificates, keys, and CA certificates for each IP in the subnet.

Manually copy all the digital certificate and key files under the C:\Documents and Settings\...\Application Data\Avalanche\ProjectName\certs\ directory. Manually copy all the CA certificate files under the C:\Documents and Settings\...\Application Data\Avalanche\ProjectName\cacerts\ directory. Then enter the corresponding values in the forms database as follows:

,,,,,,,certfile1,keyfile1,cacert1

,,,,,,,certfile2,keyfile2,cacert2

,,,,,,,certfile3,keyfile3,cacert3

,,,,,,,certfile4,keyfile4,cacert4

NOTE: The Pass Phrase field in the IPSec tab is not supported in forms databases.
Group Name (IPv4 only) (Client Subnet only) The group name when the gateway is being used for multiple users. This is supported when the authentication mode is XAuth and set to RemoteVPN. (Enabled only for the Remote Access scenario.)
Group Password (IPv4 only) (Client Subnet only) The group password when the gateway is being used for multiple users. This is supported when the authentication mode is XAuth and set to RemoteVPN. (Enabled only for the Remote Access scenario.)
User Name The string base from which the user names are generated (e.g., User####) when the authentication mode is XAuth. (Enabled only for the Remote Access scenario.)

NOTE: The # wildcard is replaced with a counter, starting at 1. If you omit the wildcard (such as abc), then the same username (abc) applies for all the remote users. The maximum increment value is 9999. The following are examples:

  • abc# increments from 1 to 9 (abc1 - abc9), then rolls over.
  • abc## increments from 1 to 99 (abc1 - abc99), then rolls over.
  • abc#### increments from 1 to 9999 (abc1 - abc9999), then rolls over.
Password The string base from which the passwords are generated (e.g., Password####) when the authentication mode is XAuth. (Enabled only for the Remote Access scenario.)

NOTE: See the note above regarding the # wildcard.
Remote Network Ver (IPv6 only)

The IP version of the remote network. (Enabled only for the Remote Access scenario.)

Select to display a drop-down menu with these options:

  • IPV4
  • IPV6
Internal Addresses (IPv4 only) (Server Subnet only) An IPv4 address or range used for generating IPv4 addresses, depending on the IKE Version as follows:
Internal Netmask (IPv4 only) (Server Subnet only) The subnet mask for Internal Addresses.
Internal DNS1 (IPv4 only) (Server Subnet only) The primary DNS server's IP address for Internal Addresses.
Internal DNS2 (IPv4 only) (Server Subnet only) The secondary DNS server's IP address for Internal Addresses.
Internal IPv6 Prefix (IPv6 only)

(Server Subnet only) Enter an IPv6 prefix address using colon hexadecimal notation for the network specified by Internal IPv6 Addresses.

Example

Prefix Address = 3FFE::0

Interface ID = 200:FF:FE00:101-200:FF:FE00:1FF

Prefix Length = 64 bits

The first address in the range would be 3FFE::200:FF:FE00:101.
Internal Bits (IPv6 only) (Server Subnet only) Enter an IPv6 prefix length in bits, from 0 to 128 for the network specified by Internal IPv6 Addresses. (See the example for the Internal IPv6 Prefix field.)
Internal IPv6 Addresses  (IPv6 only) (Server Subnet only) The MAC address or range used for generating IPv6 addresses, depending on the IKE Version as follows:
Internal IPv6 DNS1 (IPv6 only) (Server Subnet only) The primary DNS server's IP address for the network specified by Internal IPv6 Addresses.
Internal IPv6 DNS2 (IPv6 only) (Server Subnet only) The secondary DNS server's IP address for the network specified by Internal IPv6 Addresses.
Static Routing Tab Fields (supported for IPv4 and IPv6, as specified by the Show Subnet Profiles using field, and indicated in the Field column below):
Enable Static Routing Select to emulate a router for this subnet.

IMPORTANT: Do not select this checkbox if you configured a virtual router in the Ports tab. If you use both a subnet and virtual router to configure routing, in most cases, the virtual router will take precedence.

Click the Add Route and Delete Route buttons to add and remove rows from the table that appear below the Static Routing tab; use the table to define static routing entries for IPv4 or IPv6 addresses as described below.
Network Address (IPv4 only) The IPv4 address of the network for which this routing table entry applies.
Netmask Bits (IPv4 only) The number of bits in the specified network that comprise the network part of the IPv4 address.
Prefix Address (IPv6 only)

The IPv6 prefix address of the network for which this routing table entry applies. Use colon hexadecimal notation.

Example

3FFE::FF:FE:00:00
Prefix Length (IPv6 only) Enter the IPv6 prefix length in bits, from 0 to 128.
Static Routing Gateway The IPv4 or IPv6 address of the gateway to which packets destined to the specified network should be sent.
Buttons

Add Route: Adds a row to the Static Routing table.

Delete Route: Deletes a selected row from the Static Routing table.
IP Fragmentation Tab Fields (supported for IPv4 and IPv6, as specified by the Show Subnet Profiles using field):
Enable IP Fragmentation Select to fragment all datagrams transmitted from this subnet.
Send Fragments in Reverse Order Select to transmit fragments in reverse order. This allows testing of worst-case reassembly scenarios.
IP Payload Fragment Size (bytes) The number of bytes contained in each fragment for the IP data only.

NOTE: You should ensure that the fragment size is a multiple of eight, so that the IP stack rounds up to the nearest multiple of eight.
Fragmentation Percentage Select the percentage of IP datagrams whose size exceeds the IP Payload Fragment Size from the drop-down menu. These datagrams are fragmented, before being sent to the destination, from TCP/UDP layers above the IP layer.
Error Generation Select the type of error generation.
Type Description
Error Generation Off No error generation (default).
Send First Fragment Only Select to transmit only the first fragment of each datagram. All other fragments are discarded. (If you selected Send Fragments in Reverse Order, only the fragment that would have been sent last is sent.) This allows testing of reassembly timeout mechanisms.
Send Overlapping Fragments

Select to cause the IP stack to create and send random, but legitimate, IP fragments, whose data offset and length are randomly selected, so that the receiving end sees overlapping data in the fragments it receives. This is useful for testing the reassembly mechanisms at the receiving end.

NOTE: The overlapping fragment will not have enough data for the receiving end to complete the reassembly, and overlapping fragments are sent only if the original IP datagram is at least 24 bytes long. The best effort is made to insert the overlapping fragments in between regular fragments, but they are not guaranteed to always be inserted (because of their random nature), and they are never inserted after the last regular fragment is sent.
Realism Tab Fields: The fields in the Realism tab include the variables for both the Receiver side and Sender side.
Line Speed

Select the bit rate (bits per second) that a simulated user will use to connect to a network, or link speed.

Select Max Speed (default), a predefined value, or User Defined from the drop-down menu. For the latter, enter the number of bits per second in the text field.

For the client, you configure Line Speed on a per-host basis. For the server, you configure Line Speed across all servers in the subnet.

Example

If you have three hosts on the client subnet, and set the Line Speed to 10 kbps, you will see that traffic is generated at 30 kbps in the client statistics. So, if you want traffic generated from the client at only 10 kbps, you should have one host on the client subnet with 10 kbps Line Speed.

NOTE: The line speed setting for the Receiver side is not currently supported when connecting to a real server.
Packet Loss Frequency Select the frequency at which you want the Packet Loss condition to occur from the drop-down menu. A value of 0.01% emulates a Packet Loss condition approximately once for every 10,000 packets. This entry emulates conditions, such as noisy network traffic or a DUT (device under test) dropping packets, by deliberately dropping a certain number of packets at random.
Number of Packets to Drop When a Packet Loss condition occurs, a block of packets are dropped. Enter the number of packets that you want to drop when the emulated Packet Loss condition occurs. A value of 5 for Number of Packets to Drop and a value of 0.01% for Packet Loss Frequency will drop approximately 5 consecutive packets for every 10,000 packets.
Delay Time Enter a fixed link propagation delay (in milliseconds) that emulates the distance of the subnets involved. To this delay, you can also add a delay Variation that emulates the queuing and processing delay at intermediate hops in the internet/network. The sum of these two delays is the total delay used per packet. You can configure these delays on a per subnet basis for outgoing and incoming traffic separately (that is, receive side and send side of the interface).
Variation Select the type of delay variation and the values that determine it. This delay variation gets added to the Delay Time.
Type Description
None No delay variation is applied.
Uniform Enables the following fields that allow you to specify a uniform distribution. A uniform distribution has the same probability for all the members of the population.
  • Lower Limit (ms): Lower limit (in milliseconds) of the interval from which random values for the additional delay are selected (with equal probability).
  • Upper Limit (ms): Upper limit (in milliseconds) of the interval from which random values for the additional delay are selected (with equal probability).
Normal Enables the following fields that allow you to specify a normal distribution, often referred to as a Bell Curve, which has a concentration of members around the middle and less on the tails of the curve. Every normal distribution has a mean and a standard deviation that indicate how much the values deviate from the mean.
  • Std: Number of milliseconds that the data in the distribution deviates from the mean.
  • Mean: Number of milliseconds used as the mean number for the normal distribution.
Type of Service (Hex)

(Sender side only) The Type of Service (ToS) value is an 8-bit hex value that is inserted in the IP header of all outgoing segments from the subnet. ToS is useful for device, application, and application infrastructure testing.

Example Use Cases

You can use ToS with Device testing to measure a device's ability to honor QoS settings:

  • Verify device operation with QoS enabled. Does device latency increase under load? Does adding queues affect overall device performance?
  • Ensure that the device services priority applications under load. Does the device drop prioritized frames?
You can use ToS with application testing to measure end-to-end QoS:
  • Determine the maximum usable number of QoS queues. How does end-to-end queue processing affect application latency?
  • Ensure that the infrastructure services priority applications under load. Does the device drop prioritized frames? Which applications are most affected by loss and jitter?

Use the TOS calculator (click the icon next to the field) to obtain a ToS value.

NOTE: If you specify a ToS setting in the Action List or Server Profiles Tab for a specific protocol, it overrides the setting that you enter here.
PPP/PPPoE Tab Fields:

Use PPP (client only)

Enable PPP (server only)

NOTE: PPP and PPPoE options are enabled or disabled simultaneously. You cannot enable only one of the options.
(Client Subnet only)

You configure PPP groups in the PPP Group window. Then, you can apply a PPP group to a subnet.

Select Use PPP and PPPoE, and then choose the PPP Group Name that you want to apply to the subnet.

Select the PPP Group Name that you want to use, or use the buttons in the pane to create, copy, edit, or delete a configuration.

Create a new configuration.

Copy the configuration selected in the drop-down menu.

Edit the configuration selected in the drop-down menu.

Delete the configuration selected in the associated drop-down menu. Note that if you delete a configuration associated with an advanced test, it becomes unavailable to other tests within the project.

(Server Subnet only)

Select Enable PPP. You can select Negotiation IP Range (IPv4 only) to enable IP negotiation from the PPP server through IPCP. The PPP client will be assigned an IPv4 address from the pool that you specify here (range or single address). You can also specify a Primary DNS Server IP and Secondary DNS Server IP (IPv4 only).

NOTES:

  • For an IPv4 subnet, if you're using a Device test (emulating both clients and servers), you must enable or disable the server's Negotiation IP Range field and the client's IP Negotiation field consistently on both sides.
  • For an IPv6 subnet, Avalanche supports IPV6CP negotiation according to RFC 5072.

Additional settings and limitations

  • The server does not store any state related to a PPP/PPPoE session, and expects the client to be intelligent about retransmissions, and so on.
  • Enable MAC masquerading (individual MAC address) in the Client Subnet profile, with the first and second bytes set to zero.
  • Disable MAC masquerading (individual MAC address) in the server Subnet profile.
  • Ensure that the Magic Number under the client's PPP Group is deselected, so that there is no automatic generation of the magic number.

Use PPPoE (client only)

Enable PPPoE (server only)

 (Client Subnet only)

You configure PPPoE groups in the PPPoE Group window. Then, you can apply a PPPoE group to a subnet.

Select Use PPP and PPPoE, and then choose the PPPoE Group Name that you want to apply to the subnet.

Select the PPPoE Group Name that you want to use, or use the buttons in the pane to create, copy, edit, or delete a configuration.

Create a new configuration.

Copy the configuration selected in the drop-down menu.

Edit the configuration selected in the drop-down menu.

Delete the configuration selected in the associated drop-down menu. Note that if you delete a configuration associated with an advanced test, it becomes unavailable to other tests within the project.

(Server Subnet only)

Select Enable PPPoE, and then enter an AC Name (access concentrator name) and Service Name based on the characteristics that apply to the PPPoE connection.
DHCP Tab, Request Configuration Parameters (Client Subnet only):
Enable DHCP For an IPv4 subnet, select to enable DHCPv4, so that Avalanche requests one IPv4 address from a DHCPv4 server, and does not use the IP Address field on the Subnets tab. (The IP Address field is disabled after you enable DHCP.)

NOTE: Enter the subnet that the DHCPv4 server assigns in the Network field. Avalanche does not verify that the subnet assigned by the DHCPv4 server matches the subnet that you identify in the Network field.
For an IPv6 subnet, select to enable DHCPv6, so that Avalanche requests one IPv6 address from a DHCPv6 server, and does not use the IPv6 Address field on the Subnets tab.

NOTE: The Static Addressing and Assign Prefix checkboxes must be unchecked, and you must configure the MAC address fields to indicate the number of IPv6 addresses to request.
After enabling this option, you can specify the following fields.
DHCP-PD Option (IPv6 only) Select to enable DHCP-PD (prefix delegation), so that Avalanche requests an IPv6 prefix from a DHCPv6 server instead of requesting an IPv6 address.
Timeout The time in milliseconds that Avalanche waits for the DHCP server to supply an IP address, if the first attempt is unsuccessful.
Retries The number of retries that Avalanche performs to request an IP address from the DHCP server, if the first attempt is unsuccessful.
Number of IP Addresses The number of IP addresses from which you want to generate traffic. (The actual IP addresses are assigned by the DHCP server.)
DHCP Tab, Vendor Options (Client Subnet only, IPv4 only):
Option 60 (RFC 2131)

The value of option 60 (Vendor Class Identifier). This option identifies the vendor's equipment, for example, a set-top box manufacturer and software version. Enter a string, such as "Spirent."

NOTE: Refer to RFC 2131 (Dynamic Host Configuration Protocol) for more information.
Option 82 (RFC 3046) The value of option 82 (Agent Information Option). This option identifies the user, for example, a unique ID that is assigned to each user and sent to the service provider, so that it can validate to which services the user has subscribed. Enter a value pair, such as "3000" and "3333," in the adjacent fields.

NOTE: Refer to RFC 3046 (DHCP Relay Agent Information Option) for more information.
Use This Forms DB Alternatively, you can select a forms database to use from the drop-down menu for the Option 60 and Option 82 fields. In this case, you enter $1, $2, $3, as applicable, in the Option 60 and Option 82 text fields.
DS-Lite Tab Fields:

NOTE: Select Enable DS-Lite for the subnet to enable these fields.

Local Gateway Address

 The IPv6 address of the local gateway. The default is as follows:
  • client - 2001:DB8:1::1
  • server - 2001:DB8:1::2

Remote Gateway Address

 The IPv6 address of the remote gateway. The default is as follows:
  • client - 2001:DB8:1::2
  • server - 2001:DB8:1::1
Prefix Length Enter an IPv6 prefix length in bits, from 0 to 128. (See the example for the Prefix Address field.) The default is 64.

SSL VPN Tab Fields (Client Subnet):

NOTES:

  • Select Enable SSL VPN for the subnet to enable these fields.

  • Configure these fields in the client subnet if you require support for mixed protocol traffic, whereby the actions for all protocols are executed in parallel within one SSL VPN tunnel, and the tunnel remains open for the duration of the test. Otherwise, you can configure the Client SSL VPN Fields using an Action list. (You must not configure both an Action list and client subnet simultaneously for the SSL VPN tunnel, or your test will fail.)

  • During a trial run, the single SSL VPN tunnel remains open for the duration of the test, although traffic does not continue. You must manually stop the test, as it will not terminate automatically.

  • During a full run, the number of tunnels opened is equal to the number of IP addresses in the subnet.

  • The following are additional considerations when configuring mixed protocol traffic within one SSL VPN tunnel:

    • To control the bandwidth in the SSL VPN tunnel, you should add a time delay between groups of actions in each protocol’s Action list using a Think Time, and then fine tune this delay to achieve the desired bandwidth. You can also adjust the payload size, based on each protocol.

    • You should configure user-based load profiles instead of global load profiles.

  • The SSL VPN client for the Cisco vendor supports the following types of authentication, based on the requirements of your DUT:

    • AAA (Authentication, Authorization and Accounting): Uses the User Name, Group Name, Password fields that you specify.
    • Certificate: Uses the certificate file(s) that you upload under TLS Configuration. See the User SSL Certificate section. From here, you can specify a forms database to use multiple certificate files. The certificates are used in a round-robin fashion across the tunnels.
    • Both of the above.
SSL VPN HTTPS (Client Subnet):

User Name

 The user name used for authentication.

Password

 The password used for authentication.

Group Name

(Cisco only)

 The region used for authentication.

Unique ID

(Palo Alto only)

 A string to be used to form a unique ID for the subnet/core. Each subnet can be assigned to multiple associations, and thus divided into multiple cores. As an example, if you specify "SSLVPN" for this field, and the subnet is divided into two cores, then the unique ID will become "SSLVPN-Core0" for core 0 and "SSLVPN-Core1" for core 1.

Use FormsDB

Select to specify a forms database for the User Name, Password, and Group Name/Unique ID fields, and then select the forms database name from the drop-down menu.

An example forms database for the Cisco vendor is as follows:

username1,password1,region1
username2,password2,region2
username3,password3,region3
 

An example forms database for the Palo Alto vendor is as follows:

username1,password1,subnet1
username2,password2,subnet2
username3,password3,subnet3

TCP Port

 The TCP port number on the secure gateway.

Enable FQDN

 Select to specify an FQDN (fully qualified domain name) for the secure gateway.

SSL VPN HTTPS IP Address/Hostname

 The HTTPS IPv4/IPv6 address or FQDN of the secure gateway.
Enable DNS Query for Every User

(Enabled when Enable FQDN is selected.)

Select to perform a DNS query for each SimUser.

Deselect to perform one DNS query for the subnet (default).

NOTE: This option is applicable only when using either of the following features:
TLS Configuration

See the TLS field descriptions in the Client Profiles TLS/SSL Configuration Fields.

NOTE: The Ciphers section applies only to the TLS tunnel type. For the DTLS tunnel type, use the DTLS Ciphers section.
Tunnel Settings (Client Subnet):
DTLS

(Cisco only)

Select to enable the Datagram Transport Layer Security (DTLS) tunnel setup. The DTLS tunnel is set up after the TLS tunnel has been established. All data message traffic over the SSL VPN tunnel is transmitted inside the DTLS tunnel, once established. All control message traffic is transmitted inside the TLS tunnel.

If deselected, a TLS tunnel is set up. All data and control message traffic is transmitted inside the TLS tunnel.
DTLS Version

(Cisco only)

 

Select one of the following versions to use when DTLS is enabled:

  • DTLS 1.0
  • DTLS 1.2
ESP (Palo Alto only)

Select to enable Encapsulating Security Payload (ESP) for IPSec. The ESP protocol provides authentication, as well as confidentiality through the use of encryption algorithms.

NOTES:

  • This ESP feature strictly relates to IPSec and should not be confused with the Extreme Scale & Performance (ESP) feature in Avalanche.
  • The ESP option should be disabled for SSL.
Disable ICMP Pings (Palo Alto only)

Applies to the GlobalProtect VPN. Select to disable sending ICMP ping commands from the client for an ESP tunnel setup.

NOTE: ICMP KeepAlive messages are still sent.
Vendor

The SSL VPN vendor. Select one of the following:

  • Cisco
  • Palo Alto
User Agent

A string indicating information to be reflected in the CONNECT request packet in the tunnel connection phase. Select one of the following for Cisco vendor:

  • AnyConnect Avalanche Client
  • Avalanche Open Connect

NOTE: This field is read-only for Palo Alto vendor.
Address Type in Tunnel The IP address version inside the tunnel (IPv4 or IPv6).
MTU

The maximum transmission unit (MTU) inside the tunnel.

NOTES:

  • The MTU value depends on the tunnel type (DTLS or TLS), Address Type in Tunnel, and cipher type. If the data sent through the tunnel by the client or server is greater than the MTU, then IP fragmentation occurs. This is less of an issue for protocols that use TCP as the transport type, because the maximum segment size (MSS) is negotiated. However, for protocols that use UDP, the payload length needs to be manually established.

  • The default MTU value is approximately 1300, which is optimal for both IPv4 and IPv6.
Ciphers Available and Selected

NOTES:

  • For Cisco vendor:
    • This Ciphers section applies to the Cisco vendor's DTLS tunnel type. For any other TLS tunnel type, use the TLS Configuration section.
    • The available ciphers vary depending on the DTLS version. For DTLS 1.0, only AES128-SHA and AES256-SHA are supported.
    • DTLS transactions will not be accelerated by the Spirent Cryptographic Acceleration Module. (Only TLS is supported.)
  • For Palo Alto vendor:
    • This Ciphers section applies to the Palo Alto vendor's ESP setting.
    • The supported ciphers include IPSec ciphers that the GlobalProtect VPN server supports.
    • ESP (IPSec) tunnels are not supported by the Spirent Cryptographic Acceleration Module.
  • In the current Avalanche release, TLS v1.3 is not supported for an SSL VPN test.
  • The cipher suite names available and selected are shown using the OpenSSL short-name format. For more information, log in to the Spirent CSC (https://support.spirent.com) with your user name and password, and then see the Knowledge Base article, Cipher Suite Names, for a list of their standard long-name equivalents.

Available: Lists ciphers from which you can select.

Selected: Lists ciphers that you selected from the Available list and want to use with the profile. Select one or more entries in the Available list, and then click the arrow button to move them into the Selected list.

If you no longer want to use a cipher, select it in the Selected list, and then click the arrow button to move it back to the Available list.

To change the order of ciphers in the Selected list, select the cipher and then click the up or down buttons.

Signature Hash Algorithms

(Palo Alto only)

The hash algorithms that the client supports for digital signatures.

NOTE: This section is read-only for Palo Alto vendor, and SHA-1 is selected by default.
SSL VPN Tab Fields (Server Subnet):

NOTE: Select Enable SSL VPN for the subnet to enable these fields.
SSL VPN HTTPS (Server Subnet):

Address Version

 The IP address version (IPv4 or IPv6) of the SSL VPN gateway.

SSL VPN HTTPS IP Address

 The HTTPS IP address of the SSL VPN gateway.
SSL VPN TLS Configuration (Server Subnet):
SSL VPN Profile Name

Select the SSL VPN profile that you want to use from the drop-down menu, or use the buttons as follows:

Create a new profile. Configure the SSL VPN profile fields that appear.

Copy the currently selected profile, specifying a new name when prompted.

Edit the currently selected profile. Configure the SSL VPN profile fields that appear.

Delete the currently selected profile, confirming when prompted.
SSL VPN Profile (Server Subnet):
Port The port number on the SSL VPN gateway.
DTLS (Cisco only)

Select to enable the Datagram Transport Layer Security (DTLS) tunnel setup. The DTLS tunnel is set up after the TLS tunnel has been established. All data message traffic over the SSL VPN tunnel is transmitted inside the DTLS tunnel, once established. All control message traffic is transmitted inside the TLS tunnel.

If deselected, a TLS tunnel is set up. All data and control message traffic is transmitted inside the TLS tunnel.
Vendor

The SSL VPN vendor.

NOTE: Currently, only Cisco is supported on the server side.
Address Type in Tunnel The IP address version inside the tunnel (IPv4 or IPv6).
Address Range in Tunnel The IP address range inside the tunnel.
MTU

The maximum transmission unit (MTU) inside the tunnel.

NOTES:

  • The MTU value depends on the tunnel type (DTLS or TLS), Address Type in Tunnel, and cipher type. If the data sent through the tunnel by the client or server is greater than the MTU, then IP fragmentation occurs. This is less of an issue for protocols that use TCP as the transport type, because the maximum segment size (MSS) is negotiated. However, for protocols that use UDP, the payload length needs to be manually established.
  • The default MTU value is approximately 1300, which is optimal for both IPv4 and IPv6.
TLS/SSL Configuration

See the field descriptions in the Server TLS/SSL Configuration.

NOTE: The Ciphers section applies to both DTLS and TLS tunnel types. (Ensure that you select all that apply for both types.)
VxLAN Tab Fields:

NOTES:

  • Select Enable VxLAN for the subnet to enable these fields.
  • For more information on these fields, see RFC 7348, Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks.
Local VTEP IP The VXLAN Tunnel End Point (VTEP) local IPv4 address.
Remote VTEP IP The VXLAN Tunnel End Point (VTEP) remote IPv4 address.
VNI

The VXLAN Network Identifier (VNI) or VXLAN Segment ID. Each VXLAN segment is identified through this 24-bit segment ID.

The default value is 100. The valid range is 0 to 16777215.
DST MAC

Select to configure the destination MAC address. This will override the outer ethernet destination MAC address. If deselected, the outer ethernet destination MAC address will use the MAC address of the Remote VTEP IP.

Default value: FF:FF:FF:FF:FF:FF
VLAN Tab Fields:

NOTES:

  • This table supports Q-in-Q (or QinQ), also known as VLAN stacking, an Ethernet networking standard that allows additional VLAN tags to be inserted into an existing 802.1Q-tagged frame. This allows you to have an Ethernet frame with multiple VLAN tags.
  • VLAN stacking via the Action list is supported on the client side only (no server support). Instead, you can configure both client and server VLAN stacking here. (This is the recommended method.) If you configure VLAN tags through the Action list, any VLAN configuration that you specify here for the client is overwritten.
  • You can define up to 6 VLAN tags for VLAN stacking.
  • The first VLAN tag in this table is the outer one in the frame, and the last one is the Inner VLAN ID.
  • If you are using more than 2 VLAN tags for VLAN stacking, you should Enable Jumbo Frames.
  • An IP address can be bound to only one VLAN stack. Avalanche does not support multiple VLAN stacks per IP address. That is, if you configure the same IP address in two different subnets, and each subnet has a different VLAN stack, your test may fail.
VLAN TAG The VLAN ID. The last entry in this table reflects the Inner VLAN ID for the currently selected row in the Subnets table.

NOTES:

  • The valid range for a VLAN ID is 0 – 4094, and the default is 1.
  • If IPSec is enabled, the VLAN TAG is the IPSec gateway's VLAN tag. In this case, VLAN TAG INCREMENT is disabled.
Start Address The starting IP address to use for VLAN TAG INCREMENT. For example, you can set this to be the first IP address in the IP Address (Range) field for the subnet.

NOTE: If this field is blank (default), then the VLAN TAG is bound to the first IP address of the configured Network for the subnet.

Example (where Start Address is blank and IPSec is disabled)

The VLAN ID of host A (vidA) is derived from the following formula:

vidA = startVid + (ipA – networkA) * vidInc

Where:

  • startVid: The VLAN TAG value.
  • ipA: The IP address (range) of host A.
  • networkA: The first IP address of the configured Network for the subnet.
  • vidInc: The VLAN TAG INCREMENT value.

For example:

  • startVid = 1
  • ipA = 192.168.43.2 – 192.168.43.5
  • networkA = 192.168.43.1 (first IP address of 192.168.43.0/24)
  • vidInc = 2

Result:

NOTES:

  • Though IP address 192.168.43.1 is not used, it gets assigned VLAN ID 1, since it is the first IP address of the network.
  • If the resulting vidA is greater than 4094, its final value is set to vidA mod 4095.
IP Address VLAN ID
192.168.43.1 1
192.168.43.2 3
192.168.43.3 5
192.168.43.4 7
192.168.43.5 9
VLAN TAG INCREMENT If non-zero, the value by which to increment the VLAN ID for each host.

NOTES:

  • The valid range for a VLAN tag increment is 0 – 4094, and the default is 0.
  • If IPSec is enabled, this field is disabled.
VLAN TAG PROTOCOL ID

The tag protocol identifier (TPID) for the VLAN. The default value is 0x8100, which indicates that the frame carries 802.1Q/802.1p tag information.

Select to display a drop-down menu with these options:

  • 0x8100
  • 0x88a8
  • 0x88e7
  • 0x9100
  • 0x9200
VLAN PRIORITY The user priority for the VLAN. The valid range is 0 to 7.
VLAN CFI The one-bit canonical format indicator (CFI) for the VLAN. The default value is 0.
Buttons

Delete: Deletes a selected row from the VLAN table.

Down: Moves the selected row down to the next entry.

Up: Moves the selected row up to the previous entry.

Copy: Copies the selected row and appends it to the end of the VLAN table.

New: Adds a row to the end of the VLAN table.

NOTE: Multi-row operations are not supported.

Related Information:

Configuring Subnets

Generating Flat Subnets

Subnets Tab Right-Click Commands

PPP Group Window

PPPoE Group Window

About Configuring Routing

IPSec Tab

IPSecIKEv1 Tab

IPSecIKEv2 Tab

IPSec Global Rekey Settings

Policy Generator Wizard (IPSec)

SSL VPN Support in Avalanche

Client SSL VPN Fields

GTP Tab

IPv6OverIPv4 Tab

PilotPkt Tab

Create New Form Data Window

Testing DHCP

Server Profiles Tab DHCP

DHCP Action List

Run Configure Tab

Client Associations Tab

Server Associations Tab

© 2024 Spirent Communications, Inc. All Rights Reserved.