This article explains how to create and configure network ranges for a site in your account.
The Native Range for the site is the IP range that you configured for each LAN interface when you created the site. You can configure additional LAN network ranges with their own IP address ranges.
The types of networks that you can add depends on the site's Connection Type:
Connection Type |
Direct Range |
Routed Range |
VLAN |
---|---|---|---|
Socket |
✓ |
✓ |
✓ |
Azure vSocket |
✓ |
✓ |
|
ESX vSocket |
✓ |
✓ |
✓ |
AWS vSocket |
✓ |
✓ |
|
Cato-initiated IPsec IKEv1 and IKEv2 |
✓ |
||
vSocket VSH (legacy) |
✓ |
||
vSocket VGS (legacy) |
✓ |
For more information about configuring DHCP settings for a network range, see Configuring DHCP Settings.
Use the Networks section to define the network ranges for each LAN interface configured for the site. The IP addresses cannot use /31 or /32 CIDR blocks.
If two or more sites in your account use overlapping IP address ranges, you must enable and configure Static Range Translation. For more information, see, Configuring System Settings for the Account.
These are the types of network IP ranges that you can create:
-
Direct - Network segments directly connected to the Cato Socket or firewall (not via a router), but the IP range is different than the site's native range.
-
Routed - Network segments that connect to a Socket through a router.
-
VLAN - When VLANs connect to Cato, the connection is similar to a trunk port. VLAN tags are stripped as the packets enter the Cato Cloud. When a packet enters the LAN again, the VLAN tag is reapplied.
Note
Note: The Local IP field isn't relevant for IPsec sites.
For more about configuring DHCP settings for a network range, see Configuring DHCP Settings.
To create an IP address range for a LAN interface:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Configuration > Networks.
-
Expand the LAN interface.
-
From the LAN interface, click New to add a new network segment for the IP range.
The New Interface IP Range panel opens.
-
Enter the Name for the IP range.
-
From the Type drop-down menu, select the type of IP range: Direct, Routed, or VLAN.
-
Enter the Subnet and IP settings based on the range type:
-
For Direct and VLAN ranges, enter the Local IP. This is the IP address for the Cato LAN port.
-
For Routed ranges, enter the Gateway. This is the next hop IP address for the neighboring router.
-
-
For VLANs, enter the VLAN ID for this range.
-
(Optional) Configure the DHCP settings for this range, from the DHCP Range drop-down menu select one of these options:
-
Disabled - DHCP is disabled for this range
-
Account Default - this range uses the default DCHP settings for the account
-
DHCP Range - Enter the range of IP addresses that the DHCP server assigns for this segment
-
-
Click Apply. The New Interface IP Range panel closes.
-
Click Save. The IP address range is created.
Use the Edit Interface IP range panel to edit the settings for a network range.
To edit a network range:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Configuration > Networks.
-
In the Type column, click the network range.
The Edit IP Range panel opens.
-
Edit the settings for the network range.
-
Click Apply. The Edit IP Range panel closes.
-
Click Save. The changes to the network range are saved.
Before you can delete a network range, make sure that it isn't used somewhere else in the Cato Management Application, such as network or firewall rules. In addition, make sure that no hosts are configured for that range (in Network > Site Settings > Host).
To delete a network range:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Configuration > Networks.
-
Expand the LAN interface.
-
From the network range, click the Delete icon .
The network range is removed from the LAN interface.
-
Click Save. The network range is deleted.
In some cases, you may need to define a special security policy for a segment of IP addresses that are part of a bigger network range. For example, within 10.0.0.0/24, the 10.0.0.0/27 block has different security requirements.
To support such cases, you can define a network range within a site that is a subset of an existing range in the same site. Then, use the item for that network sub-range in a security policy (such as a firewall rule).
Note
Note: If a rule or group is referencing an IP that is included in two ranges in the same site, the more accurate definition (e.g. 10.0.0.0/27 in the example above) always takes precedence.
0 comments
Please sign in to leave a comment.