The WAN2 default route is the backup route. We only need to enable route failover monitoring on the primary route (WAN1 default route) to detect if it fails over and use the backup WAN2 route instead. Since the WAN2 route is only used if the primary fails, we don't need additional route monitoring configured on it.
4. Outline
Host Monitoring
•Overview
•What is Route Failover
•The key points of the route failover mechanism
•How to deploy the route failover mechanism
•The methods of route failover mechanism
•Link Status
•ARP Request
•Host monitoring
•The Host Monitoring Methods
•How to check the status of routing table
Hands-on
•Setting and debugging
Q&A 4
D-Link TSD 2009 workshop
5. What Is Route Failover ?
Route Failover Mechanism can uses the Route Monitoring Function to check
the availability of routes and switches traffic to an alternate routes if the
preferred route failed.
MAIN Routing Table
ISP1 ISP2 0.0.0.0/0 wan1, Metric=10, Primary
0.0.0.0/0 wan2, Metric=20, Backup
WAN1 WAN2
Google
Google 5
D-Link TSD 2009 workshop
6. The Key Points Of Route Failover Mechanism
• How the route failover to process traffic.
• Multiple routes failover.
• Re-enable the routes.
6
D-Link TSD 2009 workshop
7. How the route failover mechanism to process traffic
ISP1 ISP2
WAN1 WAN2
Google
Google
7
D-Link TSD 2009 workshop
9. Re-enable the routes
Net-Defends firewall will Continue to check the status of
the disabled route.
If the disabled route is available again, the Net-Defends
firewall will enable this route.
9
D-Link TSD 2009 workshop
10. How To Deploy The Route Failover
Manual add routing entries and setup the metrics.
Enable the route failover function in preferred
routes.
• Add Interface group for traffic failover to alternate
interface
• Add IP Rules for traffic failover to backup routes.
10
D-Link TSD 2009 workshop
12. Enable the route failover function in the primary routes
12
D-Link TSD 2009 workshop
13. • Add Interface group for traffic failover to alternate interface
13
D-Link TSD 2009 workshop
14. • Add IP rules to allow traffic failover to backup interfaces
14
D-Link TSD 2009 workshop
15. The Methods Of The Route Failover Mechanism
Interface link status method
Monitor gateway using ARP method
Host monitoring method
15
D-Link TSD 2009 workshop
16. Interface link status method
Monitor the link status of the physical interface.
1.1.1.2/30
Router
wan1:1.1.1.1/30
DFL-Series
wan2:5.5.5.1/30
Router
5.5.5.2/30
0.0.0.0/0 wan1, Gateway: 1.1.1.2, Metric=10, Route Failover Enabled
0.0.0.0/0 wan2, Gateway: 5.5.5.2, Metric=20
16
D-Link TSD 2009 workshop
17. Monitor gateway using ARP method
If a gateway IP has been specified in a route, the Net-Defends
firewall can use ARP request to check the status of the gateway.
This method can avoid the gateway crashed.
MAIN Routing Table
0.0.0.0/0 wan1, Gateway: 1.1.1.2, M=10
0.0.0.0/0 wan2, Gateway: 3.3.3.2, M=20
wan1:1.1.1.1/30 1.1.1.2/30 PPPoE
DFL-Series Router
ISP1
ARP Request
ARP Reply 17
D-Link TSD 2009 workshop
18. The restriction of the Link status and ARP request methods
Remote node connection fail.
1.1.1.2/30
Router
wan1:1.1.1.1/30
DFL-Series
wan2:5.5.5.1/30
Router
5.5.5.2/30
0.0.0.0/0 wan1, Gateway: 1.1.1.2, Metric=10, Link state/ARP request
0.0.0.0/0 wan2, Gateway: 5.5.5.2, Metric=20
18
D-Link TSD 2009 workshop
19. Host monitoring method
• To provide more flexible ways to monitor routes status.
• Host monitoring using more reliable methods to check the status of
routes.
1.1.1.2/30
Router
wan1:1.1.1.1/30
DFL-Series
wan2:5.5.5.1/30 Google Web Site
Router 74.125.67.100
5.5.5.2/30
19
D-Link TSD 2009 workshop
21. ICMP Host Monitoring
Net-Defends firewall uses ping request to remote hosts to check
the status of route.
Ping Request
1.1.1.1/30 1.1.1.2/30
DFL-Series Router Google Web
74.125.67.100
Ping Reply
21
D-Link TSD 2009 workshop
23. ICMP Host Monitoring Configuration Example
Grace Period:
This is the time after startup or after reconfiguration
of the Net-Defends firewall which Net-Defends firewall will
wait before starting Route Monitoring.
Minimum Number of Hosts Reachable:
This is the minimum number of hosts that must be consider
to be accessible before the route is deemed to have failed.
All:
all monitored targets must detectable, or this route will be
disabled.
None:
at lease one of monitored targets must detectable, or this
route will be disabled.
Specific:
the specific number of monitored targets must detectable, or
this route will be disabled.
23
D-Link TSD 2009 workshop
24. ICMP Host Monitoring Configuration Example
Polling Interval:
The interval in milliseconds between polling attempts. The
default setting is 10,000 and the minimum value allowed is
100 ms.
Reachability Required:
You can enable the Reachability Required in some
monitored targets. If Net-Defends firewall determines that
any host with this option enabled is not reachable, Route
Failover is initiated.
Sample:
The number of samples are used for calculating the
Percentage Loss and the Average Latency. This value
cannot be less than 1.
Max Poll Fails:
The maximum permissible number of polling attempts that
fail. If this number is exceeded then the host is considered
unreachable.
Max Average Latency:
Average Latency is calculated by averaging the response
times from the host. If a polling attempt receives no
response then it is not included in the averaging calculation. 24
D-Link TSD 2009 workshop
27. TCP Host Monitoring
Net-Defends firewall uses specified TCP protocol to check the status
of routes.
Any reply from the monitored target will be identified by DFL
firewall.
TCP 80 port Handshaking Sync
TCP 21 port Connect Request
1.1.1.1/30 1.1.1.2/30
DFL-Series Router FTP Server
Google Web
74.125.67.100
220.13.8.24
TCP 80 port Handshaking Sync Ack
TCP 21 port Connect Reply
27
D-Link TSD 2009 workshop
30. HTTP Host Monitoring
Net-Defends firewall uses HTTP protocol to check the status of
routes.
Only specified HTTP patterns in the reply will be identified by Net-
Defends firewall.
HTTP Request
1.1.1.1/30 1.1.1.2/30
DFL-Series Router HTTP Server
74.125.67.100
Specified HTTP patterns Reply
30
D-Link TSD 2009 workshop
37. HTTP Host Monitoring Configuration Example
• You can setup the expected response like:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
• You can’t setup the expected response like:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
37
D-Link TSD 2009 workshop
38. Check The Route Failover Status
Check the routing table.
38
D-Link TSD 2009 workshop
39. Check The Route Failover Status
Check the routing table.
39
D-Link TSD 2009 workshop
40. Check The Route Failover Status
Check the routing table via CLI.
40
D-Link TSD 2009 workshop
41. Check The Route Failover Status
Check the host monitoring status.
41
D-Link TSD 2009 workshop
43. Example of Host Monitoring
HTTP/FTP server
5.5.5.5
Objective:
Outgoing Traffic Outgoing Traffic • The primary default gateway is the WAN1
default gateway, if the WAN1 default
ISP1 ISP2
gateway is unavailable, the default
gateway will change to WAN2.
WAN1: WAN2:
• Please try to setup the route failover
IP:1.1.1.1/24 IP:3.3.3.1/24
function to link state/ARP request/host
GW:1.1.1.2 GW:3.3.3.2
monitoring, to check what’s different
LAN: 192.168.1.1/24
between each other.
• The monitored target of the host
monitoring is 5.5.5.5.
PC1: 192.168.1.50 PC2: 192.168.1.101
43
D-Link TSD 2009 workshop
44. Example of Host Monitoring
1 Set the object of IP4 address
44
D-Link TSD 2009 workshop
51. Example of Host Monitoring
8 Create a WAN2 gateway route entry for secondary gateway routing.
51
D-Link TSD 2009 workshop
52. Example of Host Monitoring
9
Note.
Why we don’t need setup the route failover function in the WAN2 default route ?
Because the WAN2 default route is a backup route, the traffic only go through WAN2 when the
WAN1 default route is fail. So we only need setup the route failover monitoring function in the
WAN1 default route.
52
D-Link TSD 2009 workshop
53. Example of Host Monitoring
10 Add a interface group.
53
D-Link TSD 2009 workshop
54. Example of Host Monitoring
11 Add IP-Rules for traffic go through WAN2 interface.
54
D-Link TSD 2009 workshop
55. Example of Host Monitoring
11 Add IP-Rules for traffic go through WAN2 interface.
55
D-Link TSD 2009 workshop
57. Outline
Outbound Route Load Balancing
•Overview
•What is Outbound Route Load Balancing
•How to deploy the RLB Function
•RLB Behaviors
•RLB Algorithms
Hands-on
•Setting and debugging
Q&A
57
D-Link TSD 2009 workshop
58. What is Outbound Route Load Balancing ?
Outbound Route Load Balancing is the ability to distribute traffic over
multiple routes based on a number of predefined distribution algorithms.
MAIN Routing Table
0.0.0.0/0 wan1 , Metric=10
ISP1 ISP2
0.0.0.0/0 wan2 , Metric=20
WAN1 WAN2
Google
Google 58
Google D-Link TSD 2009 workshop
59. How to deploy Outbound RLB
Manual add identical routing entries.
Enable RLB.
59
D-Link TSD 2009 workshop
68. Round Robin Algorithm
• Successive routes are chosen from the matching routes in a
Randomly.
• If the matching routes have unequal metric, then routes with lower metric are
triggered more often.
Outgoing RLB Round Robin Algorithm
traffic
M=10 WAN1
MAIN
Routing Table
M=10
M=20 WAN2
68
D-Link TSD 2009 workshop
69. The restriction Of Round Robin Algorithm
RLB Round Robin Algorithm
M=10 WAN1
M=10
M=20 WAN2
SSL Client SSL Server
69
D-Link TSD 2009 workshop
70. Destination Algorithm
• Destination is similar to Round Robin, but provides the “stickiness”
• The unique destination IP addresses always get the same route from a
lookup Google
To
Outgoing
Face Book
To RLB Destination Algorithm
traffic
Google
M=10 WAN1
MAIN
Routing Table
M=10 WAN2
Destination Stickiness Table
1. Face book wan2
Face book
2. Google wan1
70
D-Link TSD 2009 workshop
72. Spillover Algorithm
The first matching route's interface is repeatedly used until the Spillover
Limits of that route's interface are exceeded for the Hold Timer.
Outgoing RLB Spillover Algorithm
traffic
M=10 WAN1
MAIN
Routing Table
M=20 WAN2
Spillover Parameters
* Utilization Limit: 1Mbps
* Hold Time: 10 Seconds
72
D-Link TSD 2009 workshop
73. Spillover Algorithm
How to setup the spillover algorithm
73
D-Link TSD 2009 workshop
74. Spillover Algorithm
How to setup the spillover algorithm
74
D-Link TSD 2009 workshop
75. Route Load Balancing Algorithm Reset
After Net-Defends firewall reconfiguration/reboot.
After a high availability failover.
75
D-Link TSD 2009 workshop
77. Example of Route Load Balancing
HTTP/FTP server
5.5.5.5
Objective:
2. There are two Internet links, ISP1 and
ISP2. All traffic is outgoing via ISP1 and
ISP1 ISP2 ISP2 load balancing.
3. Try to configure the RLB instance objects
WAN1: WAN2:
to Round Robin/Destination/Spillover , to
IP:1.1.1.1/24 IP:3.3.3.1/24
check what’s difference between each
GW:1.1.1.2 GW:3.3.3.2
other.
LAN: 192.168.1.1/24
PC1: 192.168.1.50 PC2: 192.168.1.101
77
D-Link TSD 2009 workshop
78. Example of Route Load Balancing
1 Set the object of IP4 address 2 Add two default route
78
D-Link TSD 2009 workshop
79. Example of Route Load Balancing
3 Add wan1, wan2 Interface Group
4 Add a IP-Rule entry
79
D-Link TSD 2009 workshop
80. Example of Route Load Balancing
5 Add a Round Robin or Destination Route Load Balancing Instance. Check the RLB status.
80
D-Link TSD 2009 workshop
81. Example of Route Load Balancing
6 Add a Spillover Load Balancing Instance
81
D-Link TSD 2009 workshop
82. Example of Route Load Balancing
7 Add a Spillover Settings
82
D-Link TSD 2009 workshop