D-Link TSD 2009 workshop D-Link Net-Defends Firewall Training ©Copyright 2009. By D-Link HQ TSD Benson Wu

D-Link TSD 2009 workshop

D-Link Net-Defends Firewall Training ©Copyright 2009. By D-Link HQ TSD Benson Wu


Firewall Products

9:00~11:00 2hr Anti-spam and Anti-Virus 　

11:00 ~ 11:10 10 mins Coffee Break 　

11:10 ~ 12:40 1hr 30 mins Policy Based Route 　

12:40 ~ 13:40 1hr Lunch 　

13:40 ~ 15:10 1hr 30 mins Host Monitoring 　

15:10 ~ 15:30 20 mins Coffee Break 　

15:20 ~ 17:00 1 hr 30 mins Outbound Route Load Balancing 　

　　 Finish 　

2


3

Host Monitoring


4

Host Monitoring

•Overview

•What is Route Failover

•The key points of the route failover mechanism

•How to deploy the route failover mechanism

•The methods of route failover mechanism

•Link Status

•ARP Request

•Host monitoring

•The Host Monitoring Methods

•How to check the status of routing table

Hands-on

•Setting and debugging

Q&A

Outline


5

What Is Route Failover ?Route Failover Mechanism can uses the Route Monitoring Function to check

the availability of routes and switches traffic to an alternate routes if the preferred route failed.

ISP1 ISP2

WAN1 WAN2

GoogleGoogle

0.0.0.0/0 wan1, Metric=10,

0.0.0.0/0 wan2, Metric=20,

MAIN Routing Table

Primary

Backup


6

The Key Points Of Route Failover Mechanism

How the route failover to process traffic.

Multiple routes failover.

Re-enable the routes.


7

How the route failover mechanism to process traffic

WAN1 WAN2

ISP1 ISP2

GoogleGoogle


8

Multiple routes failover

ISP1 ISP2

WAN1 PPPoE

PrimarySecondary

ISP3

WAN2

Third


9

Re-enable the routes

Net-Defends firewall will Continue to check the status of the disabled route.

If the disabled route is available again, the Net-Defends firewall will enable this route.


10

How To Deploy The Route Failover

Manual add routing entries and setup the metrics.

Enable the route failover function in preferred routes.

Add Interface group for traffic failover to alternate interface

Add IP Rules for traffic failover to backup routes.


11

Manual add routing entries and setup the metrics

ISP2

WAN1:

IP:1.1.1.1/24

GW:1.1.1.2

WAN2:

IP:3.3.3.1/24

GW:3.3.3.2

ISP1


12

Enable the route failover function in the primary routes


13

Add Interface group for traffic failover to alternate interface


14

Add IP rules to allow traffic failover to backup interfaces


15

The Methods Of The Route Failover Mechanism

Interface link status method

Monitor gateway using ARP method

Host monitoring method


16

Interface link status methodMonitor the link status of the physical interface.

DFL-Series

Router

wan1:1.1.1.1/30

1.1.1.2/30

Router

5.5.5.2/30

wan2:5.5.5.1/30

0.0.0.0/0 wan1, Gateway: 1.1.1.2, Metric=10, Route Failover Enabled 0.0.0.0/0 wan2, Gateway: 5.5.5.2, Metric=20


17

Monitor gateway using ARP methodIf a gateway IP has been specified in a route, the Net-Defends firewall can use ARP request to check the status of the gateway.

This method can avoid the gateway crashed.

ISP1

PPPoE

DFL-Series Router

wan1:1.1.1.1/30 1.1.1.2/30

ARP Request

ARP Reply

0.0.0.0/0 wan1, Gateway: 1.1.1.2, M=10 MAIN Routing Table

0.0.0.0/0 wan2, Gateway: 3.3.3.2, M=20


18

The restriction of the Link status and ARP request methods

Remote node connection fail.

DFL-Series

Router

wan1:1.1.1.1/30

1.1.1.2/30

Router

5.5.5.2/30

wan2:5.5.5.1/30

0.0.0.0/0 wan1, Gateway: 1.1.1.2, Metric=10, Link state/ARP request 0.0.0.0/0 wan2, Gateway: 5.5.5.2, Metric=20


Host monitoring methodTo provide more flexible ways to monitor routes status.

Host monitoring using more reliable methods to check the status of routes.

19

DFL-Series

Router

wan1:1.1.1.1/30

1.1.1.2/30

Router

5.5.5.2/30

wan2:5.5.5.1/30 Google Web Site74.125.67.100


20

Methods of the host monitoring

ICMP Host Monitoring

TCP Host Monitoring

HTTP Host Monitoring


21

ICMP Host MonitoringNet-Defends firewall uses ping request to remote hosts to check the status of route.

DFL-Series Router1.1.1.1/30 1.1.1.2/30

Google Web74.125.67.100

Ping Request

Ping Reply


22

ICMP Host Monitoring Configuration Example

WAN1 WAN2

ISP1 ISP2


23

ICMP Host Monitoring Configuration ExampleGrace Period:This is the time after startup or after reconfigurationof the Net-Defends firewall which Net-Defends firewall will wait before starting Route Monitoring.

Minimum Number of Hosts Reachable:This is the minimum number of hosts that must be consider to be accessible before the route is deemed to have failed.All:all monitored targets must detectable, or this route will be disabled.None: at lease one of monitored targets must detectable, or this route will be disabled.Specific:the specific number of monitored targets must detectable, or this route will be disabled.


24

ICMP Host Monitoring Configuration ExamplePolling Interval:The interval in milliseconds between polling attempts. The default setting is 10,000 and the minimum value allowed is 100 ms.Reachability Required:You can enable the Reachability Required in some monitored targets. If Net-Defends firewall determines that any host with this option enabled is not reachable, Route Failover is initiated.Sample:The number of samples are used for calculating the Percentage Loss and the Average Latency. This value cannot be less than 1.Max Poll Fails:The maximum permissible number of polling attempts that fail. If this number is exceeded then the host is considered unreachable.

Max Average Latency:Average Latency is calculated by averaging the response times from the host. If a polling attempt receives no response then it is not included in the averaging calculation.


Host Monitoring Sample List

25


1. ICMP request, Result=Ok, Latency=700ms2. ICMP request, Result=NG 3. ICMP request, Result=Ok, Latency=700ms

4. ICMP request, Result=NG 5. ICMP request, Result=Ok, Latency=700ms 6. ICMP request, Result=NG 7. ICMP request, Result=Ok, Latency=700ms 8. ICMP request, Result=Ok, Latency=700ms 9. ICMP request, Result=Ok, Latency=700ms10. ICMP request, Result=Ok, Latency=700ms


Host Monitoring Sample List

26


1. ICMP request, Result=Ok, Latency=700ms2. ICMP request, Result=Ok Latency=700ms3. ICMP request, Result=Ok, Latency=700ms

4. ICMP request, Result=Ok, Latency=700ms 5. ICMP request, Result=Ok, Latency=700ms 6. ICMP request, Result=Ok, Latency=700ms 7. ICMP request, Result=Ok, Latency=700ms 8. ICMP request, Result=Ok, Latency=700ms 9. ICMP request, Result=Ok, Latency=700ms10. ICMP request, Result=Ok, Latency=700ms11. ICMP request, Result=Ok, Latency=700ms


27

TCP Host MonitoringNet-Defends firewall uses specified TCP protocol to check the status of routes.

Any reply from the monitored target will be identified by DFL firewall.


Google Web74.125.67.100

TCP 80 port Handshaking Sync

TCP 80 port Handshaking Sync Ack

FTP Server220.13.8.24

TCP 21 port Connect Request

TCP 21 port Connect Reply


28

TCP Host Monitoring Configuration Example

WAN1 WAN2

ISP1 ISP2


29

TCP Host Monitoring Configuration Example


30

HTTP Host MonitoringNet-Defends firewall uses HTTP protocol to check the status of routes.

Only specified HTTP patterns in the reply will be identified by Net-Defends firewall.


HTTP Server74.125.67.100

HTTP Request

Specified HTTP patterns Reply


31

HTTP Host Monitoring Configuration Example

WAN1 WAN2

ISP1 ISP2


32



33


Setup the monitored target’s URL

Setup the web page’s source code in here


34



35



36



37


You can setup the expected response like:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">



You can’t setup the expected response like:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">



38

Check The Route Failover Status

Check the routing table.


39


Check the routing table.


40


Check the routing table via CLI.


41


Check the host monitoring status.


Hands On

42


Example of Host Monitoring

43

ISP1 ISP2

WAN1:

IP:1.1.1.1/24

GW:1.1.1.2

PC1: 192.168.1.50

LAN: 192.168.1.1/24

PC2: 192.168.1.101

WAN2:

IP:3.3.3.1/24

GW:3.3.3.2

HTTP/FTP server5.5.5.5

Outgoing TrafficObjective:

1. The primary default gateway is the WAN1 default gateway, if the WAN1 default gateway is unavailable, the default gateway will change to WAN2.

2. Please try to setup the route failover function to link state/ARP request/host monitoring, to check what’s different between each other.

3. The monitored target of the host monitoring is 5.5.5.5.

Outgoing Traffic



44

1 Set the object of IP4 address



45

2



46

3



47

4



48

5 Create a WAN1 gateway route.



49

6 Configure the Route Monitoring Function.



50

7



51

8 Create a WAN2 gateway route entry for secondary gateway routing.



52

Note.Why we don’t need setup the route failover function in the WAN2 default route ?

9

Because the WAN2 default route is a backup route, the traffic only go through WAN2 when the WAN1 default route is fail. So we only need setup the route failover monitoring function in the WAN1 default route.



53

10 Add a interface group.



54

11 Add IP-Rules for traffic go through WAN2 interface.



55

11 Add IP-Rules for traffic go through WAN2 interface.


56

Outbound Route Load Balancing


57

Outbound Route Load Balancing

•Overview

•What is Outbound Route Load Balancing

•How to deploy the RLB Function

•RLB Behaviors

•RLB Algorithms

Hands-on

•Setting and debugging

Q&A

Outline


58

What is Outbound Route Load Balancing ?

Outbound Route Load Balancing is the ability to distribute traffic over multiple routes based on a number of predefined distribution algorithms.

ISP1 ISP2

WAN1 WAN2

0.0.0.0/0 wan1 , Metric=10

0.0.0.0/0 wan2 , Metric=20

MAIN Routing Table

GoogleGoogleGoogleGoogle


59

How to deploy Outbound RLB

Manual add identical routing entries.

Enable RLB.


60

Manually add identical routing entries for RLB.

ISP2

WAN1:

IP:1.1.1.1/24

GW:1.1.1.2

WAN2:

IP:3.3.3.1/24

GW:3.3.3.2

ISP1


61

Enable RLB.


62

Outbound RLB behaviors

RLB engine auto lookup the identical routing entries.

RLB engine grouping the identical routing entries into RLB engine.

RLB engine using specify algorithm to design traffic go which way.

Outbound RLB Flowchart


63

Auto lookup the identical routing entries in the routing table.

Identical routing entires

Identical routing entries


Outbound RLB Engine

64

Grouping the identical destination routing entries into RLB engine.

Group 1

Group 2


65

Using specified algorithm to design traffic go which way.

ISP1

ISP2

WAN1

WAN2

GoogleGoogleGoogleGoogle

RLB Group

RLB


66

Outbound RLB Flowchart

Outgoing traffic

Lookup dst-network in main

routing table

Matching RLB routing entries

Yes

No

Yes

Dropped by “Default Access Rule”

NoRLB

Algorithm

WAN1

WAN2

Interface

src_IP src-_IF destination dest-_IF

192.168.1.9 lan1 http://google

Outbound Route Load Balancing Engine

WAN1 or WAN2


67

Outbound Route Load Balancing Algorithms

Round Robin Algorithm

Destination Algorithm

Spillover Algorithm


68

Round Robin AlgorithmSuccessive routes are chosen from the matching routes in a Randomly.

If the matching routes have unequal metric, then routes with lower metric are triggered more often.

Outgoing traffic

RLB Round Robin Algorithm

MAIN

Routing Table

M=10

M=10

WAN1

WAN2M=20


69

The restriction Of Round Robin Algorithm

RLB Round Robin Algorithm

M=10

M=10

WAN1

WAN2M=20SSL ServerSSL Client


70

Destination AlgorithmDestination is similar to Round Robin, but provides the “stickiness”

The unique destination IP addresses always get the same route from a lookup

Outgoing traffic

RLB Destination Algorithm

MAIN

Routing Table

M=10

M=10

WAN1

WAN2

Destination Stickiness Table 1. Face book wan22. Google wan1

Google

Face book

To Google

To Face Book

To Face BookTo

Google


71

Destination AlgorithmHow to setup the Round Robin and Destination Algorithms


72

Spillover AlgorithmThe first matching route's interface is repeatedly used until the Spillover Limits of that route's interface are exceeded for the Hold Timer.

Outgoing traffic

RLB Spillover Algorithm

MAIN

Routing Table

M=10

M=20

WAN1

WAN2

Spillover Parameters* Utilization Limit: 1Mbps* Hold Time: 10 Seconds


73

Spillover Algorithm

How to setup the spillover algorithm


74

Spillover Algorithm

How to setup the spillover algorithm


Hands On

76


Example of Route Load Balancing

77

ISP1 ISP2

WAN1:

IP:1.1.1.1/24

GW:1.1.1.2

PC1: 192.168.1.50

LAN: 192.168.1.1/24

PC2: 192.168.1.101

WAN2:

IP:3.3.3.1/24

GW:3.3.3.2

HTTP/FTP server5.5.5.5

Objective:

1. There are two Internet links, ISP1 and ISP2. All traffic is outgoing via ISP1 and ISP2 load balancing.

2. Try to configure the RLB instance objects to Round Robin/Destination/Spillover , to check what’s difference between each other.



78

1 Set the object of IP4 address 2 Add two default route



79

3 Add wan1, wan2 Interface Group

4 Add a IP-Rule entry



80

5 Add a Round Robin or Destination Route Load Balancing Instance. Check the RLB status.



81

6 Add a Spillover Load Balancing Instance



82

7 Add a Spillover Settings


Thank you

83

Documents

D-Link TSD 2009 workshop D-Link Net-Defends Firewall Training ©Copyright 2009. By D-Link HQ TSD Benson Wu