D-Link Net-Defend Firewall Training

D - L ink Ne t- D e fe nd s F ire wa ll Tra ining
©Copyright 2009. By D-Link HQ TSD Benson Wu

D-Link TSD 2009 workshop

Firewall Products
9:00~11:00 2hr Anti-spam and Anti-Virus 　

11:00 ~ 11:10 10 mins Coffee Break 　

11:10 ~ 12:40 1hr 30 mins Policy Based Route 　

12:40 ~ 13:40 1hr Lunch 　

13:40 ~ 15:10 1hr 30 mins Host Monitoring 　

15:10 ~ 15:30 20 mins Coffee Break 　

15:20 ~ 17:00 1 hr 30 mins Outbound Route Load Balancing 　

　　 Finish 　

2

Host Monitoring

3

Outline

Host Monitoring
•Overview
•What is Route Failover
•The key points of the route failover mechanism
•How to deploy the route failover mechanism
•The methods of route failover mechanism
•Link Status
•ARP Request
•Host monitoring
•The Host Monitoring Methods
•How to check the status of routing table

Hands-on
•Setting and debugging

Q&A 4

What Is Route Failover ?
Route Failover Mechanism can uses the Route Monitoring Function to check
the availability of routes and switches traffic to an alternate routes if the
preferred route failed.

MAIN Routing Table

ISP1 ISP2 0.0.0.0/0  wan1, Metric=10, Primary
0.0.0.0/0  wan2, Metric=20, Backup

WAN1 WAN2

Google
Google 5

The Key Points Of Route Failover Mechanism
• How the route failover to process traffic.
• Multiple routes failover.
• Re-enable the routes.

6

How the route failover mechanism to process traffic

ISP1 ISP2

WAN1 WAN2

Google
Google

7

Multiple routes failover

ISP1 ISP2 ISP3

Primary
WAN2 Secondary
Third
WAN1 PPPoE

8

Re-enable the routes
Net-Defends firewall will Continue to check the status of
the disabled route.
If the disabled route is available again, the Net-Defends
firewall will enable this route.

9

How To Deploy The Route Failover
Manual add routing entries and setup the metrics.
Enable the route failover function in preferred
routes.
• Add Interface group for traffic failover to alternate
interface
• Add IP Rules for traffic failover to backup routes.

10

• Manual add routing entries and setup the metrics

ISP1 ISP2

WAN1: WAN2:
IP:1.1.1.1/24 IP:3.3.3.1/24
GW:1.1.1.2 GW:3.3.3.2

11

Enable the route failover function in the primary routes

12

• Add Interface group for traffic failover to alternate interface

13

• Add IP rules to allow traffic failover to backup interfaces

14

The Methods Of The Route Failover Mechanism
Interface link status method
Monitor gateway using ARP method
Host monitoring method

15

Interface link status method
Monitor the link status of the physical interface.

1.1.1.2/30
Router
wan1:1.1.1.1/30
DFL-Series

wan2:5.5.5.1/30
Router

5.5.5.2/30

0.0.0.0/0  wan1, Gateway: 1.1.1.2, Metric=10, Route Failover Enabled
0.0.0.0/0  wan2, Gateway: 5.5.5.2, Metric=20
16

Monitor gateway using ARP method
If a gateway IP has been specified in a route, the Net-Defends
firewall can use ARP request to check the status of the gateway.
This method can avoid the gateway crashed.

MAIN Routing Table
0.0.0.0/0  wan1, Gateway: 1.1.1.2, M=10
0.0.0.0/0  wan2, Gateway: 3.3.3.2, M=20

wan1:1.1.1.1/30 1.1.1.2/30 PPPoE

DFL-Series Router
ISP1
ARP Request

ARP Reply 17

The restriction of the Link status and ARP request methods
Remote node connection fail.
1.1.1.2/30
Router
wan1:1.1.1.1/30
DFL-Series

wan2:5.5.5.1/30
Router

5.5.5.2/30

0.0.0.0/0  wan1, Gateway: 1.1.1.2, Metric=10, Link state/ARP request
0.0.0.0/0  wan2, Gateway: 5.5.5.2, Metric=20
18

Host monitoring method
• To provide more flexible ways to monitor routes status.
• Host monitoring using more reliable methods to check the status of
routes.

1.1.1.2/30
Router
wan1:1.1.1.1/30
DFL-Series

wan2:5.5.5.1/30 Google Web Site
Router 74.125.67.100

5.5.5.2/30
19

Methods of the host monitoring
• ICMP Host Monitoring
• TCP Host Monitoring
• HTTP Host Monitoring

20

ICMP Host Monitoring
Net-Defends firewall uses ping request to remote hosts to check
the status of route.

Ping Request

1.1.1.1/30 1.1.1.2/30
DFL-Series Router Google Web
74.125.67.100

Ping Reply

21

ICMP Host Monitoring Configuration Example

ISP1 ISP2

WAN1 WAN2

22

Grace Period:
This is the time after startup or after reconfiguration
of the Net-Defends firewall which Net-Defends firewall will
wait before starting Route Monitoring.

Minimum Number of Hosts Reachable:
This is the minimum number of hosts that must be consider
to be accessible before the route is deemed to have failed.
All:
all monitored targets must detectable, or this route will be
disabled.
None:
at lease one of monitored targets must detectable, or this
route will be disabled.
Specific:
the specific number of monitored targets must detectable, or
this route will be disabled.

23

Polling Interval:
The interval in milliseconds between polling attempts. The
default setting is 10,000 and the minimum value allowed is
100 ms.
Reachability Required:
You can enable the Reachability Required in some
monitored targets. If Net-Defends firewall determines that
any host with this option enabled is not reachable, Route
Failover is initiated.
Sample:
The number of samples are used for calculating the
Percentage Loss and the Average Latency. This value
cannot be less than 1.
Max Poll Fails:
The maximum permissible number of polling attempts that
fail. If this number is exceeded then the host is considered
unreachable.
Max Average Latency:
Average Latency is calculated by averaging the response
times from the host. If a polling attempt receives no
response then it is not included in the averaging calculation. 24

Host Monitoring Sample List
1. ICMP request, Result=Ok, Latency=700ms
2. ICMP request, Result=NG

25

Host Monitoring Sample List

2. ICMP request, Result=Ok Latency=700ms

26

TCP Host Monitoring
Net-Defends firewall uses specified TCP protocol to check the status
of routes.
Any reply from the monitored target will be identified by DFL
firewall.
TCP 80 port Handshaking Sync
TCP 21 port Connect Request

1.1.1.1/30 1.1.1.2/30
DFL-Series Router FTP Server
Google Web
74.125.67.100
220.13.8.24

TCP 80 port Handshaking Sync Ack
TCP 21 port Connect Reply

27

TCP Host Monitoring Configuration Example

ISP1 ISP2

WAN1 WAN2

28

TCP Host Monitoring Configuration Example

29

HTTP Host Monitoring
Net-Defends firewall uses HTTP protocol to check the status of
routes.
Only specified HTTP patterns in the reply will be identified by Net-
Defends firewall.

HTTP Request

1.1.1.1/30 1.1.1.2/30
DFL-Series Router HTTP Server
74.125.67.100

Specified HTTP patterns Reply

30

HTTP Host Monitoring Configuration Example

ISP1 ISP2

WAN1 WAN2

31


32


Setup the monitored target’s URL

Setup the web page’s source code in here

33


34


35


36

• You can setup the expected response like:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
• You can’t setup the expected response like:

37

Check The Route Failover Status
Check the routing table.

38

Check the routing table.

39

Check the routing table via CLI.

40

Check the host monitoring status.

41

Hands On

42

Example of Host Monitoring
HTTP/FTP server
5.5.5.5

Objective:
Outgoing Traffic Outgoing Traffic • The primary default gateway is the WAN1
default gateway, if the WAN1 default
ISP1 ISP2
gateway is unavailable, the default
gateway will change to WAN2.

WAN1: WAN2:
• Please try to setup the route failover
IP:1.1.1.1/24 IP:3.3.3.1/24
function to link state/ARP request/host
GW:1.1.1.2 GW:3.3.3.2
monitoring, to check what’s different
LAN: 192.168.1.1/24
between each other.
• The monitored target of the host
monitoring is 5.5.5.5.

PC1: 192.168.1.50 PC2: 192.168.1.101
43

1 Set the object of IP4 address

44

2

45

3

46

4

47

5 Create a WAN1 gateway route.

48

6 Configure the Route Monitoring Function.

49

7

50

8 Create a WAN2 gateway route entry for secondary gateway routing.

51

9

Note.
Why we don’t need setup the route failover function in the WAN2 default route ?
Because the WAN2 default route is a backup route, the traffic only go through WAN2 when the
WAN1 default route is fail. So we only need setup the route failover monitoring function in the
WAN1 default route.
52

10 Add a interface group.

53

11 Add IP-Rules for traffic go through WAN2 interface.

54

11 Add IP-Rules for traffic go through WAN2 interface.

55

Outbound Route Load Balancing

56

Outline

Outbound Route Load Balancing
•Overview
•What is Outbound Route Load Balancing
•How to deploy the RLB Function
•RLB Behaviors
•RLB Algorithms

Hands-on
•Setting and debugging

Q&A

57

What is Outbound Route Load Balancing ?
Outbound Route Load Balancing is the ability to distribute traffic over
multiple routes based on a number of predefined distribution algorithms.

MAIN Routing Table

0.0.0.0/0  wan1 , Metric=10
ISP1 ISP2
0.0.0.0/0  wan2 , Metric=20

WAN1 WAN2

Google
Google 58
Google D-Link TSD 2009 workshop

How to deploy Outbound RLB
Manual add identical routing entries.
Enable RLB.

59

Manually add identical routing entries for RLB.

ISP1 ISP2

WAN1: WAN2:
IP:1.1.1.1/24 IP:3.3.3.1/24
GW:1.1.1.2 GW:3.3.3.2

60

Enable RLB.

61

Outbound RLB behaviors
RLB engine auto lookup the identical routing
entries.
RLB engine grouping the identical routing
entries into RLB engine.
RLB engine using specify algorithm to design
traffic go which way.
• Outbound RLB Flowchart

62

Auto lookup the identical routing entries in the routing
table.

Identical routing entires

Identical routing entries

63

Grouping the identical destination routing entries into
RLB engine.

Outbound RLB Engine
Group 1

Group 2

64

Using specified algorithm to design traffic go which
way.
RLB Group

WAN1 ISP1

Google
Google RLB

WAN2

ISP2

65

Outbound RLB Flowchart
src_IP src-_IF destination dest-_IF
192.168.1.9 lan1 http://google WAN1 or WAN2
No Interface

Outgoing Lookup dst-network Matching
traffic in main Yes RLB routing entries
WAN1
routing table

No
RLB
Yes Algorithm
Dropped by
“Default Access Rule”

WAN2

Outbound Route Load Balancing Engine

66

Outbound Route Load Balancing Algorithms

• Round Robin Algorithm

• Destination Algorithm

• Spillover Algorithm

67

Round Robin Algorithm
• Successive routes are chosen from the matching routes in a
Randomly.
• If the matching routes have unequal metric, then routes with lower metric are
triggered more often.

Outgoing RLB Round Robin Algorithm
traffic

M=10 WAN1
MAIN
Routing Table
M=10
M=20 WAN2

68

The restriction Of Round Robin Algorithm

RLB Round Robin Algorithm

M=10 WAN1

M=10
M=20 WAN2
SSL Client SSL Server

69

Destination Algorithm
• Destination is similar to Round Robin, but provides the “stickiness”
• The unique destination IP addresses always get the same route from a
lookup Google

To
Outgoing
Face Book
To RLB Destination Algorithm
traffic
Google
M=10 WAN1
MAIN
Routing Table
M=10 WAN2

Destination Stickiness Table
1. Face book  wan2
Face book
2. Google  wan1
70

Destination Algorithm
• How to setup the Round Robin and Destination Algorithms

71

Spillover Algorithm
The first matching route's interface is repeatedly used until the Spillover
Limits of that route's interface are exceeded for the Hold Timer.

Outgoing RLB Spillover Algorithm
traffic

M=10 WAN1
MAIN
Routing Table
M=20 WAN2

Spillover Parameters
* Utilization Limit: 1Mbps
* Hold Time: 10 Seconds
72

Spillover Algorithm
How to setup the spillover algorithm

73

Spillover Algorithm
How to setup the spillover algorithm

74

Route Load Balancing Algorithm Reset
After Net-Defends firewall reconfiguration/reboot.
After a high availability failover.

75

Hands On

76

Example of Route Load Balancing
HTTP/FTP server
5.5.5.5

Objective:
2. There are two Internet links, ISP1 and
ISP2. All traffic is outgoing via ISP1 and
ISP1 ISP2 ISP2 load balancing.
3. Try to configure the RLB instance objects
WAN1: WAN2:
to Round Robin/Destination/Spillover , to
IP:1.1.1.1/24 IP:3.3.3.1/24
check what’s difference between each
GW:1.1.1.2 GW:3.3.3.2
other.

LAN: 192.168.1.1/24

PC1: 192.168.1.50 PC2: 192.168.1.101
77

1 Set the object of IP4 address 2 Add two default route

78

3 Add wan1, wan2 Interface Group

4 Add a IP-Rule entry

79

5 Add a Round Robin or Destination Route Load Balancing Instance. Check the RLB status.

80

6 Add a Spillover Load Balancing Instance

81

7 Add a Spillover Settings

82

Thank you

83

D-Link Net-Defend Firewall Training

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie D-Link Net-Defend Firewall Training

Ähnlich wie D-Link Net-Defend Firewall Training (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

D-Link Net-Defend Firewall Training