D-Link TSD 2009 workshop D-Link Net-Defends Firewall Training ©Copyright By D-Link HQ TSD Benson Wu
D-Link TSD 2009 workshop Firewall Products 9:00~11:002hrAnti-spam and Anti-Virus 11:00 ~ 11:1010 minsCoffee Break 11:10 ~ 12:401hr 30 minsPolicy Based Route 12:40 ~ 13:401hrLunch 13:40 ~ 15:101hr 30 minsHost Monitoring 15:10 ~ 15:3020 minsCoffee Break 15:20 ~ 17:001 hr 30 minsOutbound Route Load Balancing Finish 2
D-Link TSD 2009 workshop 3 Host Monitoring
D-Link TSD 2009 workshop 4 Host Monitoring Overview What is Route Failover The key points of the route failover mechanism How to deploy the route failover mechanism The methods of route failover mechanism Link Status ARP Request Host monitoring The Host Monitoring Methods How to check the status of routing table Hands-on Setting and debugging Q&A Outline
D-Link TSD 2009 workshop 5 What Is Route Failover ? Route Failover Mechanism can uses the Route Monitoring Function to check the availability of routes and switches traffic to an alternate routes if the preferred route failed. ISP1 ISP2 WAN1 WAN2 Google /0 wan1, Metric=10, /0 wan2, Metric=20, MAIN Routing Table Primary Backup
D-Link TSD 2009 workshop 6 The Key Points Of Route Failover Mechanism How the route failover to process traffic. Multiple routes failover. Re-enable the routes.
D-Link TSD 2009 workshop 7 How the route failover mechanism to process traffic WAN1 WAN2 ISP1 ISP2 Google
D-Link TSD 2009 workshop 8 Multiple routes failover ISP1 ISP2 WAN1PPPoE Primary Secondary ISP3 WAN2 Third
D-Link TSD 2009 workshop 9 Re-enable the routes Net-Defends firewall will Continue to check the status of the disabled route. If the disabled route is available again, the Net-Defends firewall will enable this route.
D-Link TSD 2009 workshop 10 How To Deploy The Route Failover Manual add routing entries and setup the metrics. Enable the route failover function in preferred routes. Add Interface group for traffic failover to alternate interface Add IP Rules for traffic failover to backup routes.
D-Link TSD 2009 workshop 11 Manual add routing entries and setup the metrics ISP2 WAN1: IP: /24 GW: WAN2: IP: /24 GW: ISP1
D-Link TSD 2009 workshop 12 Enable the route failover function in the primary routes
D-Link TSD 2009 workshop 13 Add Interface group for traffic failover to alternate interface
D-Link TSD 2009 workshop 14 Add IP rules to allow traffic failover to backup interfaces
D-Link TSD 2009 workshop 15 The Methods Of The Route Failover Mechanism Interface link status method Monitor gateway using ARP method Host monitoring method
D-Link TSD 2009 workshop 16 Interface link status method Monitor the link status of the physical interface. DFL-Series Router wan1: / /30 Router /30 wan2: / /0 wan1, Gateway: , Metric=10, Route Failover Enabled /0 wan2, Gateway: , Metric=20
D-Link TSD 2009 workshop 17 Monitor gateway using ARP method If a gateway IP has been specified in a route, the Net-Defends firewall can use ARP request to check the status of the gateway. This method can avoid the gateway crashed. ISP1 PPPoE DFL-Series Router wan1: / /30 ARP Request ARP Reply /0 wan1, Gateway: , M=10 MAIN Routing Table /0 wan2, Gateway: , M=20
D-Link TSD 2009 workshop 18 The restriction of the Link status and ARP request methods Remote node connection fail. DFL-Series Router wan1: / /30 Router /30 wan2: / /0 wan1, Gateway: , Metric=10, Link state/ARP request /0 wan2, Gateway: , Metric=20
D-Link TSD 2009 workshop Host monitoring method To provide more flexible ways to monitor routes status. Host monitoring using more reliable methods to check the status of routes. 19 DFL-Series Router wan1: / /30 Router /30 wan2: /30 Google Web Site
D-Link TSD 2009 workshop 20 Methods of the host monitoring ICMP Host Monitoring TCP Host Monitoring HTTP Host Monitoring
D-Link TSD 2009 workshop 21 ICMP Host Monitoring Net-Defends firewall uses ping request to remote hosts to check the status of route. DFL-Series Router / /30 Google Web Ping Request Ping Reply
D-Link TSD 2009 workshop 22 ICMP Host Monitoring Configuration Example WAN1 WAN2 ISP1 ISP2
D-Link TSD 2009 workshop 23 ICMP Host Monitoring Configuration Example Grace Period: This is the time after startup or after reconfiguration of the Net-Defends firewall which Net-Defends firewall will wait before starting Route Monitoring. Minimum Number of Hosts Reachable: This is the minimum number of hosts that must be consider to be accessible before the route is deemed to have failed. All: all monitored targets must detectable, or this route will be disabled. None: at lease one of monitored targets must detectable, or this route will be disabled. Specific: the specific number of monitored targets must detectable, or this route will be disabled.
D-Link TSD 2009 workshop 24 ICMP Host Monitoring Configuration Example Polling Interval: The interval in milliseconds between polling attempts. The default setting is 10,000 and the minimum value allowed is 100 ms. Reachability Required: You can enable the Reachability Required in some monitored targets. If Net-Defends firewall determines that any host with this option enabled is not reachable, Route Failover is initiated. Sample: The number of samples are used for calculating the Percentage Loss and the Average Latency. This value cannot be less than 1. Max Poll Fails: The maximum permissible number of polling attempts that fail. If this number is exceeded then the host is considered unreachable. Max Average Latency: Average Latency is calculated by averaging the response times from the host. If a polling attempt receives no response then it is not included in the averaging calculation.
D-Link TSD 2009 workshop Host Monitoring Sample List 25 ICMP Host Monitoring Configuration Example 1. ICMP request, Result=Ok, Latency=700ms 2. ICMP request, Result=NG 3. ICMP request, Result=Ok, Latency=700ms 4. ICMP request, Result=NG 5. ICMP request, Result=Ok, Latency=700ms 6. ICMP request, Result=NG 7. ICMP request, Result=Ok, Latency=700ms 8. ICMP request, Result=Ok, Latency=700ms 9. ICMP request, Result=Ok, Latency=700ms 10. ICMP request, Result=Ok, Latency=700ms
D-Link TSD 2009 workshop Host Monitoring Sample List 26 ICMP Host Monitoring Configuration Example 1. ICMP request, Result=Ok, Latency=700ms 2. ICMP request, Result=Ok Latency=700ms 3. ICMP request, Result=Ok, Latency=700ms 4. ICMP request, Result=Ok, Latency=700ms 5. ICMP request, Result=Ok, Latency=700ms 6. ICMP request, Result=Ok, Latency=700ms 7. ICMP request, Result=Ok, Latency=700ms 8. ICMP request, Result=Ok, Latency=700ms 9. ICMP request, Result=Ok, Latency=700ms 10. ICMP request, Result=Ok, Latency=700ms 11. ICMP request, Result=Ok, Latency=700ms
D-Link TSD 2009 workshop 27 TCP Host Monitoring Net-Defends firewall uses specified TCP protocol to check the status of routes. Any reply from the monitored target will be identified by DFL firewall. DFL-Series Router / /30 Google Web TCP 80 port Handshaking Sync TCP 80 port Handshaking Sync Ack FTP Server TCP 21 port Connect Request TCP 21 port Connect Reply
D-Link TSD 2009 workshop 28 TCP Host Monitoring Configuration Example WAN1 WAN2 ISP1 ISP2
D-Link TSD 2009 workshop 29 TCP Host Monitoring Configuration Example
D-Link TSD 2009 workshop 30 HTTP Host Monitoring Net-Defends firewall uses HTTP protocol to check the status of routes. Only specified HTTP patterns in the reply will be identified by Net- Defends firewall. DFL-Series Router / /30 HTTP Server HTTP Request Specified HTTP patterns Reply
D-Link TSD 2009 workshop 31 HTTP Host Monitoring Configuration Example WAN1 WAN2 ISP1 ISP2
D-Link TSD 2009 workshop 32 HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop 33 HTTP Host Monitoring Configuration Example Setup the monitored target’s URL Setup the web page’s source code in here
D-Link TSD 2009 workshop 34 HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop 35 HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop 36 HTTP Host Monitoring Configuration Example
D-Link TSD 2009 workshop 37 HTTP Host Monitoring Configuration Example You can setup the expected response like: You can’t setup the expected response like:
D-Link TSD 2009 workshop 38 Check The Route Failover Status Check the routing table.
D-Link TSD 2009 workshop 39 Check The Route Failover Status Check the routing table.
D-Link TSD 2009 workshop 40 Check The Route Failover Status Check the routing table via CLI.
D-Link TSD 2009 workshop 41 Check The Route Failover Status Check the host monitoring status.
D-Link TSD 2009 workshop Hands On 42
D-Link TSD 2009 workshop Example of Host Monitoring 43 ISP1 ISP2 WAN1: IP: /24 GW: PC1: LAN: /24 PC2: WAN2: IP: /24 GW: HTTP/FTP server Outgoing Traffic Objective: 1.The primary default gateway is the WAN1 default gateway, if the WAN1 default gateway is unavailable, the default gateway will change to WAN2. 2.Please try to setup the route failover function to link state/ARP request/host monitoring, to check what’s different between each other. 3.The monitored target of the host monitoring is Outgoing Traffic
D-Link TSD 2009 workshop Example of Host Monitoring 44 1 Set the object of IP4 address
D-Link TSD 2009 workshop Example of Host Monitoring 45 2
D-Link TSD 2009 workshop Example of Host Monitoring 46 3
D-Link TSD 2009 workshop Example of Host Monitoring 47 4
D-Link TSD 2009 workshop Example of Host Monitoring 48 5 Create a WAN1 gateway route.
D-Link TSD 2009 workshop Example of Host Monitoring 49 6 Configure the Route Monitoring Function.
D-Link TSD 2009 workshop Example of Host Monitoring 50 7
D-Link TSD 2009 workshop Example of Host Monitoring 51 8 Create a WAN2 gateway route entry for secondary gateway routing.
D-Link TSD 2009 workshop Example of Host Monitoring 52 Note. Why we don’t need setup the route failover function in the WAN2 default route ? 9 Because the WAN2 default route is a backup route, the traffic only go through WAN2 when the WAN1 default route is fail. So we only need setup the route failover monitoring function in the WAN1 default route.
D-Link TSD 2009 workshop Example of Host Monitoring Add a interface group.
D-Link TSD 2009 workshop Example of Host Monitoring Add IP-Rules for traffic go through WAN2 interface.
D-Link TSD 2009 workshop Example of Host Monitoring Add IP-Rules for traffic go through WAN2 interface.
D-Link TSD 2009 workshop 56 Outbound Route Load Balancing
D-Link TSD 2009 workshop 57 Outbound Route Load Balancing Overview What is Outbound Route Load Balancing How to deploy the RLB Function RLB Behaviors RLB Algorithms Hands-on Setting and debugging Q&A Outline
D-Link TSD 2009 workshop 58 What is Outbound Route Load Balancing ? Outbound Route Load Balancing is the ability to distribute traffic over multiple routes based on a number of predefined distribution algorithms. ISP1 ISP2 WAN1 WAN /0 wan1, Metric= /0 wan2, Metric=20 MAIN Routing Table Google
D-Link TSD 2009 workshop 59 How to deploy Outbound RLB Manual add identical routing entries. Enable RLB.
D-Link TSD 2009 workshop 60 Manually add identical routing entries for RLB. ISP2 WAN1: IP: /24 GW: WAN2: IP: /24 GW: ISP1
D-Link TSD 2009 workshop 61 Enable RLB.
D-Link TSD 2009 workshop 62 Outbound RLB behaviors RLB engine auto lookup the identical routing entries. RLB engine grouping the identical routing entries into RLB engine. RLB engine using specify algorithm to design traffic go which way. Outbound RLB Flowchart
D-Link TSD 2009 workshop 63 Auto lookup the identical routing entries in the routing table. Identical routing entires Identical routing entries
D-Link TSD 2009 workshop Outbound RLB Engine 64 Grouping the identical destination routing entries into RLB engine. Group 1 Group 2
D-Link TSD 2009 workshop 65 Using specified algorithm to design traffic go which way. ISP1 ISP2 WAN1 WAN2 Google RLB Group RLB
D-Link TSD 2009 workshop 66 Outbound RLB Flowchart Outgoing traffic Lookup dst-network in main routing table Matching RLB routing entries Yes No Yes Dropped by “Default Access Rule” No RLB Algorithm WAN1 WAN2 Interface src_IPsrc-_IFdestinationdest-_IF lan1http://google Outbound Route Load Balancing Engine WAN1 or WAN2
D-Link TSD 2009 workshop 67 Outbound Route Load Balancing Algorithms Round Robin Algorithm Destination Algorithm Spillover Algorithm
D-Link TSD 2009 workshop 68 Round Robin Algorithm Successive routes are chosen from the matching routes in a Randomly. If the matching routes have unequal metric, then routes with lower metric are triggered more often. Outgoing traffic RLB Round Robin Algorithm MAIN Routing Table M=10 WAN1 WAN2 M=20
D-Link TSD 2009 workshop 69 The restriction Of Round Robin Algorithm RLB Round Robin Algorithm M=10 WAN1 WAN2 M=20 SSL Server SSL Client
D-Link TSD 2009 workshop 70 Destination Algorithm Destination is similar to Round Robin, but provides the “stickiness” The unique destination IP addresses always get the same route from a lookup Outgoing traffic RLB Destination Algorithm MAIN Routing Table M=10 WAN1 WAN2 Destination Stickiness Table 1. Face book wan2 2. Google wan1 Google Face book To Google To Face Book To Face Book To Google
D-Link TSD 2009 workshop 71 Destination Algorithm How to setup the Round Robin and Destination Algorithms
D-Link TSD 2009 workshop 72 Spillover Algorithm The first matching route's interface is repeatedly used until the Spillover Limits of that route's interface are exceeded for the Hold Timer. Outgoing traffic RLB Spillover Algorithm MAIN Routing Table M=10 M=20 WAN1 WAN2 Spillover Parameters * Utilization Limit: 1Mbps * Hold Time: 10 Seconds
D-Link TSD 2009 workshop 73 Spillover Algorithm How to setup the spillover algorithm
D-Link TSD 2009 workshop 74 Spillover Algorithm How to setup the spillover algorithm
D-Link TSD 2009 workshop 75 Route Load Balancing Algorithm Reset After Net-Defends firewall reconfiguration/reboot. After a high availability failover.
D-Link TSD 2009 workshop Hands On 76
D-Link TSD 2009 workshop Example of Route Load Balancing 77 ISP1 ISP2 WAN1: IP: /24 GW: PC1: LAN: /24 PC2: WAN2: IP: /24 GW: HTTP/FTP server Objective: 1.There are two Internet links, ISP1 and ISP2. All traffic is outgoing via ISP1 and ISP2 load balancing. 2.Try to configure the RLB instance objects to Round Robin/Destination/Spillover, to check what’s difference between each other.
D-Link TSD 2009 workshop Example of Route Load Balancing 78 1 Set the object of IP4 address 2 Add two default route
D-Link TSD 2009 workshop Example of Route Load Balancing 79 3 Add wan1, wan2 Interface Group 4 Add a IP-Rule entry
D-Link TSD 2009 workshop Example of Route Load Balancing 80 5 Add a Round Robin or Destination Route Load Balancing Instance. Check the RLB status.
D-Link TSD 2009 workshop Example of Route Load Balancing 81 6 Add a Spillover Load Balancing Instance
D-Link TSD 2009 workshop Example of Route Load Balancing 82 7 Add a Spillover Settings
D-Link TSD 2009 workshop Thank you 83