Date post: | 19-Jan-2016 |
Category: |
Documents |
Upload: | camron-clarke |
View: | 219 times |
Download: | 1 times |
D-Link TSD 2009 workshop
D-Link Net-Defends Firewall Training ©Copyright 2009. By D-Link HQ TSD Benson Wu
D-Link TSD 2009 workshop
Firewall Products
9:00~11:00 2hr Anti-spam and Anti-Virus
11:00 ~ 11:10 10 mins Coffee Break
11:10 ~ 12:40 1hr 30 mins Policy Based Route
12:40 ~ 13:40 1hr Lunch
13:40 ~ 15:10 1hr 30 mins Host Monitoring
15:10 ~ 15:30 20 mins Coffee Break
15:20 ~ 17:00 1 hr 30 mins Outbound Route Load Balancing
Finish
2
D-Link TSD 2009 workshop
3
Host Monitoring
D-Link TSD 2009 workshop
4
Host Monitoring
•Overview
•What is Route Failover
•The key points of the route failover mechanism
•How to deploy the route failover mechanism
•The methods of route failover mechanism
•Link Status
•ARP Request
•Host monitoring
•The Host Monitoring Methods
•How to check the status of routing table
Hands-on
•Setting and debugging
Q&A
Outline
D-Link TSD 2009 workshop
5
What Is Route Failover ?Route Failover Mechanism can uses the Route Monitoring Function to check
the availability of routes and switches traffic to an alternate routes if the preferred route failed.
ISP1 ISP2
WAN1 WAN2
GoogleGoogle
0.0.0.0/0 wan1, Metric=10,
0.0.0.0/0 wan2, Metric=20,
MAIN Routing Table
Primary
Backup
D-Link TSD 2009 workshop
6
The Key Points Of Route Failover Mechanism
How the route failover to process traffic.
Multiple routes failover.
Re-enable the routes.
D-Link TSD 2009 workshop
7
How the route failover mechanism to process traffic
WAN1 WAN2
ISP1 ISP2
GoogleGoogle
D-Link TSD 2009 workshop
8
Multiple routes failover
ISP1 ISP2
WAN1 PPPoE
PrimarySecondary
ISP3
WAN2
Third
D-Link TSD 2009 workshop
9
Re-enable the routes
Net-Defends firewall will Continue to check the status of the disabled route.
If the disabled route is available again, the Net-Defends firewall will enable this route.
D-Link TSD 2009 workshop
10
How To Deploy The Route Failover
Manual add routing entries and setup the metrics.
Enable the route failover function in preferred routes.
Add Interface group for traffic failover to alternate interface
Add IP Rules for traffic failover to backup routes.
D-Link TSD 2009 workshop
11
Manual add routing entries and setup the metrics
ISP2
WAN1:
IP:1.1.1.1/24
GW:1.1.1.2
WAN2:
IP:3.3.3.1/24
GW:3.3.3.2
ISP1
D-Link TSD 2009 workshop
12
Enable the route failover function in the primary routes
D-Link TSD 2009 workshop
13
Add Interface group for traffic failover to alternate interface
D-Link TSD 2009 workshop
14
Add IP rules to allow traffic failover to backup interfaces
D-Link TSD 2009 workshop
15
The Methods Of The Route Failover Mechanism
Interface link status method
Monitor gateway using ARP method
Host monitoring method
D-Link TSD 2009 workshop
16
Interface link status methodMonitor the link status of the physical interface.
DFL-Series
Router
wan1:1.1.1.1/30
1.1.1.2/30
Router
5.5.5.2/30
wan2:5.5.5.1/30
0.0.0.0/0 wan1, Gateway: 1.1.1.2, Metric=10, Route Failover Enabled 0.0.0.0/0 wan2, Gateway: 5.5.5.2, Metric=20
D-Link TSD 2009 workshop
17
Monitor gateway using ARP methodIf a gateway IP has been specified in a route, the Net-Defends firewall can use ARP request to check the status of the gateway.
This method can avoid the gateway crashed.
ISP1
PPPoE
DFL-Series Router
wan1:1.1.1.1/30 1.1.1.2/30
ARP Request
ARP Reply
0.0.0.0/0 wan1, Gateway: 1.1.1.2, M=10 MAIN Routing Table
0.0.0.0/0 wan2, Gateway: 3.3.3.2, M=20
D-Link TSD 2009 workshop
18
The restriction of the Link status and ARP request methods
Remote node connection fail.
DFL-Series
Router
wan1:1.1.1.1/30
1.1.1.2/30
Router
5.5.5.2/30
wan2:5.5.5.1/30
0.0.0.0/0 wan1, Gateway: 1.1.1.2, Metric=10, Link state/ARP request 0.0.0.0/0 wan2, Gateway: 5.5.5.2, Metric=20
D-Link TSD 2009 workshop
Host monitoring methodTo provide more flexible ways to monitor routes status.
Host monitoring using more reliable methods to check the status of routes.
19
DFL-Series
Router
wan1:1.1.1.1/30
1.1.1.2/30
Router
5.5.5.2/30
wan2:5.5.5.1/30 Google Web Site74.125.67.100
D-Link TSD 2009 workshop
20
Methods of the host monitoring
ICMP Host Monitoring
TCP Host Monitoring
HTTP Host Monitoring
D-Link TSD 2009 workshop
21
ICMP Host MonitoringNet-Defends firewall uses ping request to remote hosts to check the status of route.
DFL-Series Router1.1.1.1/30 1.1.1.2/30
Google Web74.125.67.100
Ping Request
Ping Reply
D-Link TSD 2009 workshop
22
ICMP Host Monitoring Configuration Example
WAN1 WAN2
ISP1 ISP2
D-Link TSD 2009 workshop
23
ICMP Host Monitoring Configuration ExampleGrace Period:This is the time after startup or after reconfigurationof the Net-Defends firewall which Net-Defends firewall will wait before starting Route Monitoring.
Minimum Number of Hosts Reachable:This is the minimum number of hosts that must be consider to be accessible before the route is deemed to have failed.All:all monitored targets must detectable, or this route will be disabled.None: at lease one of monitored targets must detectable, or this route will be disabled.Specific:the specific number of monitored targets must detectable, or this route will be disabled.
D-Link TSD 2009 workshop
24
ICMP Host Monitoring Configuration ExamplePolling Interval:The interval in milliseconds between polling attempts. The default setting is 10,000 and the minimum value allowed is 100 ms.Reachability Required:You can enable the Reachability Required in some monitored targets. If Net-Defends firewall determines that any host with this option enabled is not reachable, Route Failover is initiated.Sample:The number of samples are used for calculating the Percentage Loss and the Average Latency. This value cannot be less than 1.Max Poll Fails:The maximum permissible number of polling attempts that fail. If this number is exceeded then the host is considered unreachable.
Max Average Latency:Average Latency is calculated by averaging the response times from the host. If a polling attempt receives no response then it is not included in the averaging calculation.
D-Link TSD 2009 workshop
Host Monitoring Sample List
25
ICMP Host Monitoring Configuration Example
1. ICMP request, Result=Ok, Latency=700ms2. ICMP request, Result=NG 3. ICMP request, Result=Ok, Latency=700ms
4. ICMP request, Result=NG 5. ICMP request, Result=Ok, Latency=700ms 6. ICMP request, Result=NG 7. ICMP request, Result=Ok, Latency=700ms 8. ICMP request, Result=Ok, Latency=700ms 9. ICMP request, Result=Ok, Latency=700ms10. ICMP request, Result=Ok, Latency=700ms
D-Link TSD 2009 workshop
Host Monitoring Sample List
26
ICMP Host Monitoring Configuration Example
1. ICMP request, Result=Ok, Latency=700ms2. ICMP request, Result=Ok Latency=700ms3. ICMP request, Result=Ok, Latency=700ms
4. ICMP request, Result=Ok, Latency=700ms 5. ICMP request, Result=Ok, Latency=700ms 6. ICMP request, Result=Ok, Latency=700ms 7. ICMP request, Result=Ok, Latency=700ms 8. ICMP request, Result=Ok, Latency=700ms 9. ICMP request, Result=Ok, Latency=700ms10. ICMP request, Result=Ok, Latency=700ms11. ICMP request, Result=Ok, Latency=700ms
D-Link TSD 2009 workshop
27
TCP Host MonitoringNet-Defends firewall uses specified TCP protocol to check the status of routes.
Any reply from the monitored target will be identified by DFL firewall.
DFL-Series Router1.1.1.1/30 1.1.1.2/30
Google Web74.125.67.100
TCP 80 port Handshaking Sync
TCP 80 port Handshaking Sync Ack
FTP Server220.13.8.24
TCP 21 port Connect Request
TCP 21 port Connect Reply
D-Link TSD 2009 workshop
28
TCP Host Monitoring Configuration Example
WAN1 WAN2
ISP1 ISP2
D-Link TSD 2009 workshop
29
TCP Host Monitoring Configuration Example
D-Link TSD 2009 workshop
30
HTTP Host MonitoringNet-Defends firewall uses HTTP protocol to check the status of routes.
Only specified HTTP patterns in the reply will be identified by Net-Defends firewall.
DFL-Series Router1.1.1.1/30 1.1.1.2/30
HTTP Server74.125.67.100
HTTP Request
Specified HTTP patterns Reply
D-Link TSD 2009 workshop
31
HTTP Host Monitoring Configuration Example
WAN1 WAN2
ISP1 ISP2
D-Link TSD 2009 workshop
32
HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop
33
HTTP Host Monitoring Configuration Example
Setup the monitored target’s URL
Setup the web page’s source code in here
D-Link TSD 2009 workshop
34
HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop
35
HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop
36
HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop
37
HTTP Host Monitoring Configuration Example
You can setup the expected response like:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
You can’t setup the expected response like:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
D-Link TSD 2009 workshop
38
Check The Route Failover Status
Check the routing table.
D-Link TSD 2009 workshop
39
Check The Route Failover Status
Check the routing table.
D-Link TSD 2009 workshop
40
Check The Route Failover Status
Check the routing table via CLI.
D-Link TSD 2009 workshop
41
Check The Route Failover Status
Check the host monitoring status.
D-Link TSD 2009 workshop
Hands On
42
D-Link TSD 2009 workshop
Example of Host Monitoring
43
ISP1 ISP2
WAN1:
IP:1.1.1.1/24
GW:1.1.1.2
PC1: 192.168.1.50
LAN: 192.168.1.1/24
PC2: 192.168.1.101
WAN2:
IP:3.3.3.1/24
GW:3.3.3.2
HTTP/FTP server5.5.5.5
Outgoing TrafficObjective:
1. The primary default gateway is the WAN1 default gateway, if the WAN1 default gateway is unavailable, the default gateway will change to WAN2.
2. Please try to setup the route failover function to link state/ARP request/host monitoring, to check what’s different between each other.
3. The monitored target of the host monitoring is 5.5.5.5.
Outgoing Traffic
D-Link TSD 2009 workshop
Example of Host Monitoring
44
1 Set the object of IP4 address
D-Link TSD 2009 workshop
Example of Host Monitoring
45
2
D-Link TSD 2009 workshop
Example of Host Monitoring
46
3
D-Link TSD 2009 workshop
Example of Host Monitoring
47
4
D-Link TSD 2009 workshop
Example of Host Monitoring
48
5 Create a WAN1 gateway route.
D-Link TSD 2009 workshop
Example of Host Monitoring
49
6 Configure the Route Monitoring Function.
D-Link TSD 2009 workshop
Example of Host Monitoring
50
7
D-Link TSD 2009 workshop
Example of Host Monitoring
51
8 Create a WAN2 gateway route entry for secondary gateway routing.
D-Link TSD 2009 workshop
Example of Host Monitoring
52
Note.Why we don’t need setup the route failover function in the WAN2 default route ?
9
Because the WAN2 default route is a backup route, the traffic only go through WAN2 when the WAN1 default route is fail. So we only need setup the route failover monitoring function in the WAN1 default route.
D-Link TSD 2009 workshop
Example of Host Monitoring
53
10 Add a interface group.
D-Link TSD 2009 workshop
Example of Host Monitoring
54
11 Add IP-Rules for traffic go through WAN2 interface.
D-Link TSD 2009 workshop
Example of Host Monitoring
55
11 Add IP-Rules for traffic go through WAN2 interface.
D-Link TSD 2009 workshop
56
Outbound Route Load Balancing
D-Link TSD 2009 workshop
57
Outbound Route Load Balancing
•Overview
•What is Outbound Route Load Balancing
•How to deploy the RLB Function
•RLB Behaviors
•RLB Algorithms
Hands-on
•Setting and debugging
Q&A
Outline
D-Link TSD 2009 workshop
58
What is Outbound Route Load Balancing ?
Outbound Route Load Balancing is the ability to distribute traffic over multiple routes based on a number of predefined distribution algorithms.
ISP1 ISP2
WAN1 WAN2
0.0.0.0/0 wan1 , Metric=10
0.0.0.0/0 wan2 , Metric=20
MAIN Routing Table
GoogleGoogleGoogleGoogle
D-Link TSD 2009 workshop
59
How to deploy Outbound RLB
Manual add identical routing entries.
Enable RLB.
D-Link TSD 2009 workshop
60
Manually add identical routing entries for RLB.
ISP2
WAN1:
IP:1.1.1.1/24
GW:1.1.1.2
WAN2:
IP:3.3.3.1/24
GW:3.3.3.2
ISP1
D-Link TSD 2009 workshop
61
Enable RLB.
D-Link TSD 2009 workshop
62
Outbound RLB behaviors
RLB engine auto lookup the identical routing entries.
RLB engine grouping the identical routing entries into RLB engine.
RLB engine using specify algorithm to design traffic go which way.
Outbound RLB Flowchart
D-Link TSD 2009 workshop
63
Auto lookup the identical routing entries in the routing table.
Identical routing entires
Identical routing entries
D-Link TSD 2009 workshop
Outbound RLB Engine
64
Grouping the identical destination routing entries into RLB engine.
Group 1
Group 2
D-Link TSD 2009 workshop
65
Using specified algorithm to design traffic go which way.
ISP1
ISP2
WAN1
WAN2
GoogleGoogleGoogleGoogle
RLB Group
RLB
D-Link TSD 2009 workshop
66
Outbound RLB Flowchart
Outgoing traffic
Lookup dst-network in main
routing table
Matching RLB routing entries
Yes
No
Yes
Dropped by “Default Access Rule”
NoRLB
Algorithm
WAN1
WAN2
Interface
src_IP src-_IF destination dest-_IF
192.168.1.9 lan1 http://google
Outbound Route Load Balancing Engine
WAN1 or WAN2
D-Link TSD 2009 workshop
67
Outbound Route Load Balancing Algorithms
Round Robin Algorithm
Destination Algorithm
Spillover Algorithm
D-Link TSD 2009 workshop
68
Round Robin AlgorithmSuccessive routes are chosen from the matching routes in a Randomly.
If the matching routes have unequal metric, then routes with lower metric are triggered more often.
Outgoing traffic
RLB Round Robin Algorithm
MAIN
Routing Table
M=10
M=10
WAN1
WAN2M=20
D-Link TSD 2009 workshop
69
The restriction Of Round Robin Algorithm
RLB Round Robin Algorithm
M=10
M=10
WAN1
WAN2M=20SSL ServerSSL Client
D-Link TSD 2009 workshop
70
Destination AlgorithmDestination is similar to Round Robin, but provides the “stickiness”
The unique destination IP addresses always get the same route from a lookup
Outgoing traffic
RLB Destination Algorithm
MAIN
Routing Table
M=10
M=10
WAN1
WAN2
Destination Stickiness Table 1. Face book wan22. Google wan1
Face book
To Google
To Face Book
To Face BookTo
D-Link TSD 2009 workshop
71
Destination AlgorithmHow to setup the Round Robin and Destination Algorithms
D-Link TSD 2009 workshop
72
Spillover AlgorithmThe first matching route's interface is repeatedly used until the Spillover Limits of that route's interface are exceeded for the Hold Timer.
Outgoing traffic
RLB Spillover Algorithm
MAIN
Routing Table
M=10
M=20
WAN1
WAN2
Spillover Parameters* Utilization Limit: 1Mbps* Hold Time: 10 Seconds
D-Link TSD 2009 workshop
73
Spillover Algorithm
How to setup the spillover algorithm
D-Link TSD 2009 workshop
74
Spillover Algorithm
How to setup the spillover algorithm
D-Link TSD 2009 workshop
Hands On
76
D-Link TSD 2009 workshop
Example of Route Load Balancing
77
ISP1 ISP2
WAN1:
IP:1.1.1.1/24
GW:1.1.1.2
PC1: 192.168.1.50
LAN: 192.168.1.1/24
PC2: 192.168.1.101
WAN2:
IP:3.3.3.1/24
GW:3.3.3.2
HTTP/FTP server5.5.5.5
Objective:
1. There are two Internet links, ISP1 and ISP2. All traffic is outgoing via ISP1 and ISP2 load balancing.
2. Try to configure the RLB instance objects to Round Robin/Destination/Spillover , to check what’s difference between each other.
D-Link TSD 2009 workshop
Example of Route Load Balancing
78
1 Set the object of IP4 address 2 Add two default route
D-Link TSD 2009 workshop
Example of Route Load Balancing
79
3 Add wan1, wan2 Interface Group
4 Add a IP-Rule entry
D-Link TSD 2009 workshop
Example of Route Load Balancing
80
5 Add a Round Robin or Destination Route Load Balancing Instance. Check the RLB status.
D-Link TSD 2009 workshop
Example of Route Load Balancing
81
6 Add a Spillover Load Balancing Instance
D-Link TSD 2009 workshop
Example of Route Load Balancing
82
7 Add a Spillover Settings
D-Link TSD 2009 workshop
Thank you
83