03-linkproof tech training

Radware LinkProof

5.11 Training 2007-09

•Radware LinkProof 产品介绍•LinkProof 初始化安装与基本配置•双机配置•设备管理•售前方案设计

Agenda

Radware LinkProof Branch 平台产品介绍

LP Branch

•8 Fast Ethernet ports•25/50 Mbps throughput •64 MB RAM

Radware LinkProof AS 平台产品介绍

LP 100/200/202

• 8 Fast Ethernet ports• 2 Fiber SC GB ports• 200 Mbps throughput • 256 MB RAM

• 16 FE and 5 GBIC ports • 1000 Mbps throughput • 256 MB RAM

LP 1000


• 12 Copper GB Ethernet ports• 8 GBIC ports• 3000 Mbps throughput • 512MB RAM

LP 3020


Radware LinkProof ODS 平台产品介绍LP 108/208/1008/2008/4008 ODS VL

• 6 10/100/1000 Copper + 2SFP•100 Mbps throughput， 4 Gbps Max throughput•4GB RAM

Radware LinkProof ODS 平台产品介绍

LP 1016/2016/4016 ODS2

• 12 10/100/1000 Copper + 4 SFP• 1 Gbps throughput， 4 Gbps Max throughput•2GB RAM

• RADWARE LinkProof 产品介绍• LinkProof 初始化安装与基本配置 1, LinkProof- 配置 - 初始化 2, LinkProof- 配置 -Network 3, LinkProof- 配置 -PortChannel 4, LinkProof- 配置 -Interface 5, LinkProof- 配置 -Route 6, LinkProof- 配置 -Farm 7, LinkProof- 配置 -Server 8, LinkProof- 配置 -Flow 9, LinkProof- 配置 -Nat

10, LinkProof- 配置 -Classes11, LinkProof- 配置 -Inbound12, LinkProof- 配置 -Proximity13, LinkProof- 配置 -Tuning

• 双机配置• 设备管理

终端配置

初始化菜单

默认配置

Web 管理登陆

默认用户名： radware

默认密码： radware

全局界面

Link Aggregation

Radware devices support port trunking according to the IEEE 802.3ad standard for link aggregation. According to the IEEE 802.3ad standard:

• Link Aggregation is supported only on links using the IEEE 802.3 MAC • Link Aggregation is supported only on point-to-point links.

• Link Aggregation is supported only on links operating in full duplex mode. • Aggregation is permitted only among links with same speed and direction. On Radware devices bandwidth increments are provided in units of 100Mbps and 1Gbps respectively. • The failure or replacement of a single link within a Link Aggregation Group will not cause failure from the perspective of a MAC client.

Configuration

• Device > Link Aggregation > Port Table

Same Index

Port Table

Assign IP Address

Ports number

• Router > IP Router > Interface Parameters > Create

Edit IP Address

Click to Edit

• Router > IP Router > Interface Parameters

Add Route

Default Gateway:

Dest. Address

> 0.0.0.0

Network Mask

> 0.0.0.0

• Router > Routing Table > Create

Edit Routing Table

• Router > Routing Table

Click to Edit

• A LinkProof farm is a group of networks servers that provide the same service. Servers contained in a server farm can belong to different vendors, or have a different capacity. The differences between the servers within a farm are transparent to the users. Providing all the servers within a group provide the same service managed by the LinkProof device, this group can be defined as a LinkProof server farm.

• When a new packet arrives that must be redirected to a certain farm, LinkProof selects the best server (according to user-defined criteria) from the servers available.

Terminology –Farm

The Virtual IP Farm (logical) servers represent applications residing on the physical server. Each application provides a particular service. LinkProof supports different farm server types, according to farm types: routers and firewalls.

The IP address of the farm server must also be defined. A physical server can have a few IP addresses, so different farm servers that are operating on the same physical server can have different IP addresses. The same Server Name and Server Address can be used in different farms (but same type of farms)

Farm Concept

Server Farm Basics

Main Farm

Subnet1 Farm

Subnet2 Farm

Farm Configuration

• LinkProof > Farms > Router Farm Table > Create

Name Smart Nat Persistency

Farm Parameters

Farm

Router 1 Router 2

LinkProof

LinkProof Dispatch Methods

•Cyclic (Round Robin)

•Weighted Cyclic (uses Round Robin but applies static weights assigned to servers)

•Least Traffic (in packets)

•Least Number of Users

•NT SNMP Parameters

•User-Configurable SNMP Parameters

•Hashing

•Response Time Load Balancing

The Virtual IP Farm (logical) servers represent applications residing on the physical server. Each application provides a particular service. LinkProof supports different farm server types, according to farm types: routers and firewalls.

The IP address of the farm server must also be defined. A physical server can have a few IP addresses, so different farm servers that are operating on the same physical server can have different IP addresses. The same Server Name and Server Address can be used in different farms (but same type of farms)

Server Concept

Server Maintenance

• LinkProof > Servers > Logic Routers Table > Create

Gateway

Name

Server Maintenance

Same Farm NameLoadbalance:

Different Gateway

Default Loadbalance Farm&Servers

Server Weights allow administrators to take into account equipment that has greater (or lesser) capacity than other servers in the same farm.

LinkProof

Weight = 1 Weight = 1

Weight = 5

Server Management - Weights

Server Management – Operational Mode

Local Network

Active

LinkProof

Active Backup

Server Management – Connection Limit

Connection Limit is the maximum number of users that can be directed to a server for a service provided by the farm. The number of users depends on the Sessions Mode, because it is determined by the number of active entries in the Client Table for sessions destined to the specific server.

Flow Concept

• LinkProof 5.xx uses flow policies instead of Groupings (in previous versions)

• Multiple farms can contain the same or different routers• Policies are configured based on source, destination,

application, content, etc. to send traffic through routers in a particular farm

• Routers can be active or backup within a farm• Administrators can configure the LinkProof to redirect

specific kinds of traffic to specific devices or groups of devices. This feature is based on the concept of Flows, introduced in version 5.10 and can be done based on the destination port, destination IP address, source IP address, or combinations

Flow Definitions

Main Farm

Subnet1 Farm

Subnet2 Farm

Flow 1 – Use Subnet1 Farm

Flow 2 – Use Subnet2 Farm

Flow Policies

Main Farm

Subnet1 Farm

Subnet2 Farm

Source = Subnet1 Source = Subnet2

Flow Policy:Source = Subnet1

Flow = Subnet1 Farm

Flow Policy:Source = Subnet2

Flow = Subnet2 Farm

Flow Policies for Application

•Main Farm contains both routers•Web Farm contains router 1•FTP Farm contains router 2

Main Farm

Web Farm

FTPFarm

FTP Flow:Use FTP

Farm

Web Flow:Use Web

Farm

Flow Policies for Application

Main Farm

Web Farm

FTPFarm

Flow Policy:HTTP Flow = Use Web Farm

Flow Policy:FTP Flow = Use FTP Farm

HTTP FTP

Flow Table

• LinkProof > Flow Management > Farm Flow Table > Create

Default FarmDefault Flow

Flow Table


Flow Index

Select Farm

Flow Table


Flow Policy

• LinkProof > Flow Management > Modify Policies > Create

Flow Policy

Name Little number will be executed first

Classes-Networks

Especial Flow

LinkProof > Flow Management >Update Policies

Client Management

• Client Table tracks all outbound and inbound client sessions along with the router selected

• Default aging time is 60 seconds• After 60 seconds of inactivity, a given entry is dropped• Aging time can be set per router farm• Application Aging can be set in global

Client Table CLI

Client Table current entries can be viewed via CLI only using thefollowing commands:• lp client table (to see client table information)• lp client table-summary (to see summary information)• lp client clear (clear client table)The following options are available with the lp client table CLIcommand, which allow you to filter existing client entries and display only relevant entries:• -ip to print only entries with given IP address• -fl to print only entries with given flow name• -fn to print only entries with given farm name• -sn to print only entries with given server name• -vl to print only entries with forwarding type bridging• -ap to print only entries with given application port• -db to print only entries with delayed binding information• -ed to print only entries with edge farm info• -mapped to print entries including mapped information• -ptr to print only entries with given packet translation type (VIP,Dynamic NAT, VPN, etc).

Aging By Application

LinkProof

Flow 2Flow 1

Web Traffic

Telnet Traffic

DNS Traffic

HTTPS Traffic

Client Table Default = 60

Port 80 Aging = 30 secondsPort 23 Aging = 600 secondsPort 53 Aging = 10 secondsPort 443 Aging = 1200 seconds

Dynamic SmartNAT

The LinkProof uses Dynamic SmartNAT to route traffic from internal resources out the available Next-Hop-Routers. This is a Many-to-One translation

Local User

NHR11.1.1.100

LinkProof

NHR22.2.2.200

SmartNAT with 1.1.1.150

SmartNAT with 2.2.2.250

Static SmartNAT – cont.

Static SmartNAT addresses are also used to present a public address through each available router that can be used to access an internal resource

Server

NHR11.1.1.100

LinkProofNHR2

2.2.2.200 Client

SmartNAT for Server = 1.1.1.10

SmartNAT for Server = 2.2.2.20

Basic SmartNAT

Basic SmartNAT can be used for outbound user traffic when an application’s source port must be preserved – uses a pool.

NHR11.1.1.100

LinkProofNHR2

2.2.2.200

User 1

User 3

User 2

Application

NAT with 1.1.1.20

NAT with 2.2.2.20

NAT with 1.1.1.21

NAT with 1.1.1.21

No NAT

In some cases, it may not make sense to have the LinkProof perform NAT for hosts on a public network or behind a firewall performing NAT.

ServersNHR1

1.1.1.100

LinkProof

NHR22.2.2.200

1.1.1.111

1.1.1.112

1.1.1.113

No NAT – Source Preserved

NAT with Address from 2.2.2.0

Modify Classes

• Classes > Modify Networks > Create

Same Name Differ Index

LinkProof > Classes >Update Policies

Inbound

• The LinkProof can shape inbound traffic to internal hosts (web, ftp, application hosts, etc.) by answering DNS queries for specific hosts

• The LinkProof will answer queries with an appropriate Static NAT address from an available router network

• Clients can then access the internal host by connecting to the Static NAT address they receive

• For increase performance it is recommended to configure the DNS servers (When user configure DNS Servers Table, Link Proof will check the given DNS servers reply only)

Inbound Configuration

Select Internal

1:Static Nat

2:Name To Local IP

• LinkProof > DNS Configuration > DNS for Local Clients

Proximity Concept

The proximity probes are a combination of IP, TCP, and application layer probes (such as TCP ACK's and ICMP Echo requests) to ensureaccurate measurements. The type of checks used for proximity is configurable to allow users more control of the device and generate maximum performance fromthe links.

Proximity Configuration

• LinkProof > Proximity

Tuning

• Services > Tuning > Device > General

LinkProof 配置总结• 确认部署环境及 IP 规划• 配置 Interface IP、 Router

• 配置 Farm

• 配置 Server ，并加入相应Farm

• 配置 Flow Policy

• 配置 NAT

• 配置 Health Monitor

• Device Tuning

• Radware devices should be employed in pairs for fault-tolerance and fail-over

• Two methods available for redundancy:Proprietary (using ARP)VRRP (RFC:2338 Virtual Router Redundancy Protocol)

Redundancy

LinkProof Management Methods

Management Methods Available:

• APSolute Insite

• Telnet / SSH

• Web Based Interface / Secure Web

• Serial Command Line Interface

• SNMP

LinkProof Monitoring – Web

• Device > Device Monitoring

LinkProof Configurations Save/Upload

• File > Configuration >Receive From Device/Send to Device

Event Notifications can be received via the following methods

• Syslog

• Email

• Serial connection traps

• SNMP Traps

LinkProof Notification

Access to the Device can be limited in several ways:

• SNMP Community strings (for AP insite)

• Username and password (for Telnet and WBM)

• Management method restricts per physical interface (i.e. WBM and SNMP through port 2 and SSH only through port 1)

• Radius Server Authentication

LinkProof Management Permissions

LinkProof Security – Web

• Device Security > User > Create or Edit

hardware

lp-as1-3_73_11.bin

product version

LinkProof Software Version

Upgrade Firmware

• File > Software Upgrade

LinkProof 售前方案设计

• 熟悉了解客户网络• 了解详细需求，设备选型（选型时充分考虑销售需求、对手情况）• 方案设计（包括 IP 规划、割接步骤、回退措施）

售前案例分析 – 用户现状

接入路由器A 接入路由器B

防火墙防火墙

核心交换机核心交换机

网通50M 网通100M 网通100M政务外网50M文献中心

科技网教育网中央党校 IPV6

汇聚层和接入层网络

售前案例分析 – 用户需求

1、考虑到业务特点 ,在尽量减少对现网业务影响的情况下，链路负载均衡方案可考虑分布实施。 2、链路负载均衡方案应能够智能利用多条链路资源，既能屏蔽跨运营商之间的网络限制，又能充分利用多条互联网链路资源，来保证链路的高可靠性和应用系统的访问效率。 3、实现进（ Inbound ）出（ Outbound ）双向流量在多广域网链路出口情况下的智能管理。保障公众用户以最佳的途径访问到内部系统，以及应用服务器的响应数据最快速的返回用户端。

售前案例分析 – 过渡方案设计网通网通网通

1G

100M 50M 100M

Router A Router B

电信

文献中心

政务外网教育网

党校

linkproof

50M

网通网通网通

1G

100M 50M100M

Router A Router B

电信

文献中心

政务外网教育网

党校

50M

linkproof linkproof

售前案例分析 – 最终方案设计

03-linkproof tech training

Documents

lp client

virtual ip

radware linkproof

radware linkproof

flow management

ip router

static nat

farm server