03-LinkProof Tech Training

Radware LinkProof
5.11 Training 2007-09
Page 1
Agenda
Radware LinkProof LinkProof
Page 2
Radware LinkProof Branch
LP Branch
8 Fast Ethernet ports 25/50 Mbps throughput 64 MB RAM
Page 3
Radware LinkProof AS
LP 100/200/202
8 Fast Ethernet ports 2 Fiber SC GB ports 200 Mbps throughput 256 MB RAM
Page 4
LP 1000
16 FE and 5 GBIC ports 1000 Mbps throughput 256 MB RAM
Page 5
LP 3020
12 Copper GB Ethernet ports 8 GBIC ports 3000 Mbps throughput 512MB RAM
Page 6
Radware LinkProof ODS
LP 108/208/1008/2008/4008 ODS VL
6 10/100/1000 Copper + 2SFP 100 Mbps throughput4 Gbps Max throughput 4GB RAM
Page 7
Radware LinkProof ODS
LP 1016/2016/4016 ODS2
12 10/100/1000 Copper + 4 SFP 1 Gbps throughput4 Gbps Max throughput 2GB RAM
Page 8
RADWARE LinkProof LinkProof

1, LinkProof-- 2, LinkProof--Network 3, LinkProof--PortChannel 4, LinkProof--Interface 5, LinkProof--Route 6, LinkProof--Farm 7, LinkProof--Server 8, LinkProof--Flow 9, LinkProof--Nat 10, LinkProof--Classes 11, LinkProof--Inbound 12, LinkProof--Proximity 13, LinkProof--Tuning
Page 9
Page 10
Page 11
Page 12

Page 13
Web
radware radware
Page 14
Page 15

Page 16
Link Aggregation
Radware devices support port trunking according to the IEEE 802.3ad standard for link aggregation. According to the IEEE 802.3ad standard:
Link Aggregation is supported only on links using the IEEE
802.3 MAC Link Aggregation is supported only on point-to-point links. Link Aggregation is supported only on links operating in full duplex mode. Aggregation is permitted only among links with same speed and direction. On Radware devices bandwidth increments are provided in units of 100Mbps and 1Gbps respectively. The failure or replacement of a single link within a Link Aggregation Group will not cause failure from the perspective of a MAC client.
Page 17
Configuration
Device > Link Aggregation > Port Table
Same Index
Page 18
Port Table
Page 19

Page 20
Assign IP Address
Router > IP Router > Interface Parameters > Create
Ports number
Page 21
Edit IP Address
Router > IP Router > Interface Parameters
Click to Edit
Page 22

Page 23
Add Route
Router > Routing Table > Create
Default Gateway: Dest. Address > 0.0.0.0
Network Mask
> 0.0.0.0
Page 24
Edit Routing Table

Router > Routing Table
Click to Edit
Page 25

Page 26
Terminology Farm
A LinkProof farm is a group of networks servers that provide the
same service. Servers contained in a server farm can belong to different vendors, or have a different capacity. The differences between the servers within a farm are transparent to the users. Providing all the servers within a group provide the same service managed by the LinkProof device, this group can be defined as a LinkProof server farm.
When a new packet arrives that must be redirected to a certain
farm, LinkProof selects the best server (according to user-defined criteria) from the servers available.
Page 27
Farm Concept
The Virtual IP Farm (logical) servers represent applications residing on the physical server. Each application provides a particular service. LinkProof supports different farm server types, according to farm types: routers and firewalls.
The IP address of the farm server must also be defined. A physical server can have a few IP addresses, so different farm servers that are operating on the same physical server can have different IP addresses. The same Server Name and Server Address can be used in different farms (but same type of farms)
Page 28
Server Farm Basics
Main Farm Subnet1 Farm Subnet2 Farm
Page 29
Farm Configuration
LinkProof > Farms > Router Farm Table > Create
Name
Smart Nat
Persistency
Page 30
Farm Parameters
Page 31
LinkProof Dispatch Methods
Cyclic (Round Robin) Weighted Cyclic (uses Round Robin but applies static weights assigned to servers)
LinkProof
Least Traffic (in packets) Least Number of Users NT SNMP Parameters

Farm
User-Configurable SNMP Parameters Hashing

Router 2
Router 1
Response Time Load Balancing

Page 32

Page 33
Server Concept
The Virtual IP Farm (logical) servers represent applications residing on the physical server. Each application provides a particular service. LinkProof supports different farm server types, according to farm types: routers and firewalls.
The IP address of the farm server must also be defined. A physical server can have a few IP addresses, so different farm servers that are operating on the same physical server can have different IP addresses. The same Server Name and Server Address can be used in different farms (but same type of farms)
Page 34
Server Maintenance
LinkProof > Servers > Logic Routers Table > Create
Name
Gateway
Page 35
Server Maintenance
Same Farm Name
Loadbalance:
Different Gateway
Default Loadbalance Farm&Servers

Page 36
Server Management - Weights
Server Weights allow administrators to take into account equipment that has greater (or lesser) capacity than other servers in the same farm.
LinkProof
Weight = 1
Weight = 1 Weight = 5
Page 37
Server Management Operational Mode
Active
Active
Backup
LinkProof
Local Network
Page 38
Server Management Connection Limit
Connection Limit is the maximum number of users that can be directed to a server for a service provided by the farm. The number of users depends on the Sessions Mode, because it is determined by the number of active entries in the Client Table for sessions destined to the specific server.
Page 39

Page 40
Flow Concept
LinkProof 5.xx uses flow policies instead of Groupings (in
previous versions) Multiple farms can contain the same or different routers Policies are configured based on source, destination, application, content, etc. to send traffic through routers in a particular farm Routers can be active or backup within a farm Administrators can configure the LinkProof to redirect specific kinds of traffic to specific devices or groups of devices. This feature is based on the concept of Flows, introduced in version 5.10 and can be done based on the destination port, destination IP address, source IP address, or combinations
Page 41
Flow Definitions
Main Farm
Subnet1 Farm
Subnet2 Farm
Flow 1 Use Subnet1 Farm
Flow 2 Use Subnet2 Farm
Page 42
Flow Policies
Main Farm
Subnet1 Farm
Subnet2 Farm
Flow Policy: Source = Subnet1 Flow = Subnet1 Farm
Flow Policy: Source = Subnet2 Flow = Subnet2 Farm
Source = Subnet1
Source = Subnet2
Page 43
Flow Policies for Application

Main Farm Web Farm FTP Farm
Web Flow: Use Web Farm
FTP Flow: Use FTP Farm
Main Farm contains both routers Web Farm contains router 1 FTP Farm contains router 2
Page 44
Flow Policies for Application

Main Farm Web Farm FTP Farm
Flow Policy: HTTP Flow = Use Web Farm
Flow Policy: FTP Flow = Use FTP Farm
HTTP
FTP
Page 45
Flow Table
LinkProof > Flow Management > Farm Flow Table > Create
Default Flow
Default Farm
Page 46
Flow Table
Select Farm
Flow Index
Page 47
Flow Table
Page 48
Flow Policy
LinkProof > Flow Management > Modify Policies > Create
Page 49
Flow Policy
Name
Little number will be executed first Especial Flow
Classes-Networks
LinkProof > Flow Management >Update Policies

Page 50
Client Management
Client Table tracks all outbound and inbound client sessions along with
the router selected Default aging time is 60 seconds After 60 seconds of inactivity, a given entry is dropped Aging time can be set per router farm Application Aging can be set in global
Page 51
Client Table CLI
Client Table current entries can be viewed via CLI only using the following commands:
lp client table (to see client table information) lp client table-summary (to see summary information) lp client clear (clear client table)
The following options are available with the lp client table CLI command, which allow you to filter existing client entries and display only relevant entries:
-ip to print only entries with given IP address -fl to print only entries with given flow name -fn to print only entries with given farm name -sn to print only entries with given server name -vl to print only entries with forwarding type bridging -ap to print only entries with given application port -db to print only entries with delayed binding information -ed to print only entries with edge farm info -mapped to print entries including mapped information -ptr to print only entries with given packet translation type (VIP, Dynamic NAT, VPN, etc).
Page 52
Aging By Application
Flow 1
Flow 2
Client Table Default = 60 Port 80 Aging = 30 seconds Port 23 Aging = 600 seconds Port 53 Aging = 10 seconds Port 443 Aging = 1200 seconds
LinkProof
Web Traffic
Telnet Traffic
DNS Traffic
HTTPS Traffic
Page 53

Page 54
Dynamic SmartNAT
The LinkProof uses Dynamic SmartNAT to route traffic from internal resources out the available Next-Hop-Routers. This is a Many-to-One translation
SmartNAT with 1.1.1.150
NHR1 1.1.1.100
NHR2 2.2.2.200 Local User
LinkProof
SmartNAT with 2.2.2.250

Page 55
Static SmartNAT cont.

Static SmartNAT addresses are also used to present a public address through each available router that can be used to access an internal resource SmartNAT for Server = 1.1.1.10
NHR1 1.1.1.100
LinkProof
NHR2 2.2.2.200 Server Client
SmartNAT for Server = 2.2.2.20

Page 56
Basic SmartNAT
Basic SmartNAT can be used for outbound user traffic when an applications source port must be preserved uses a pool.
User 1
NAT with 1.1.1.20
NAT with 1.1.1.21
NHR1 1.1.1.100
User 2
LinkProof
NHR2 2.2.2.200
Application
User 3
NAT with 2.2.2.20
NAT with 1.1.1.21

Page 57
No NAT
In some cases, it may not make sense to have the LinkProof perform NAT for hosts on a public network or behind a firewall performing NAT.
Servers
No NAT Source Preserved
NHR1 1.1.1.100
1.1.1.111
1.1.1.112
NHR2 2.2.2.200
LinkProof 1.1.1.113
NAT with Address from 2.2.2.0

Page 58

Page 59
Modify Classes
Classes > Modify Networks > Create
Same Name
Differ Index
LinkProof > Classes >Update Policies

Page 60

Page 61
Inbound
The LinkProof can shape inbound traffic to internal hosts (web, ftp, application hosts, etc.) by answering DNS queries for specific hosts The LinkProof will answer queries with an appropriate Static NAT address from an available router network Clients can then access the internal host by connecting to the Static NAT address they receive For increase performance it is recommended to configure the DNS servers (When user configure DNS Servers Table, Link Proof will check the given DNS servers reply only)
Page 62
Inbound Configuration
LinkProof > DNS Configuration > DNS for Local Clients 1:Static Nat 2:Name To Local IP
Select Internal
Page 63

Page 64
Proximity Concept
The proximity probes are a combination of IP, TCP, and application layer probes (such as TCP ACK's and ICMP Echo requests) to ensure accurate measurements. The type of checks used for proximity is configurable to allow users more control of the device and generate maximum performance from the links.
Page 65
Proximity Configuration
LinkProof > Proximity
Page 66

Page 67
Tuning
Services > Tuning > Device > General
Page 68
LinkProof
IP
Interface IPRouter Farm
ServerFarm
Flow Policy NAT
Health Monitor
Device Tuning
Page 69
Page 70
Redundancy
Radware devices should be employed in pairs for fault-tolerance and fail-over Two methods available for redundancy: Proprietary (using ARP) VRRP (RFC:2338 Virtual Router Redundancy Protocol)
Page 71
Page 72
LinkProof Management Methods

Management Methods Available:
APSolute Insite Telnet / SSH
Web Based Interface / Secure Web

Serial Command Line Interface
SNMP
Page 73
LinkProof Monitoring Web

Device > Device Monitoring
Page 74
LinkProof Configurations Save/Upload

File > Configuration >Receive From Device/Send to Device
Page 75
LinkProof Notification
Event Notifications can be received via the following methods
Syslog Email Serial connection traps SNMP Traps
Page 76
LinkProof Management Permissions

Access to the Device can be limited in several ways:
SNMP Community strings (for AP insite) Username and password (for Telnet and WBM) Management method restricts per physical interface (i.e. WBM and SNMP through port 2 and SSH only through port 1) Radius Server Authentication
Page 77
LinkProof Security Web

Device Security > User > Create or Edit
Page 78
LinkProof Software Version
lp-as1-3_73_11.bin
product
hardware
version
Page 79
Upgrade Firmware
File > Software Upgrade
Page 80
Page 81
LinkProof

IP
Page 82

50M 50M 100M 100M IPV6
Page 83
1,
2 3InboundOutbound
Page 84
100M
1G
50M
100M
50M
Router A
linkproof
Router B
Page 85

100M 1G 100M 50M 50M
Router A
Router B linkproof linkproof
Page 86
Page 87

03-LinkProof Tech Training

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

03-LinkProof Tech Training

Transféré par

Droits d'auteur :

Formats disponibles

Radware LinkProof

5.11 Training 2007-09

Radware LinkProof LinkProof

Radware LinkProof Branch

8 Fast Ethernet ports 25/50 Mbps throughput 64 MB RAM

16 FE and 5 GBIC ports 1000 Mbps throughput 256 MB RAM

Radware LinkProof ODS

Radware LinkProof ODS

RADWARE LinkProof LinkProof

RADWARE LinkProof LinkProof

RADWARE LinkProof LinkProof

Device > Link Aggregation > Port Table

RADWARE LinkProof LinkProof

Router > IP Router > Interface Parameters > Create

RADWARE LinkProof LinkProof

Router > Routing Table > Create

Default Gateway: Dest. Address > 0.0.0.0

Edit Routing Table

RADWARE LinkProof LinkProof

A LinkProof farm is a group of networks servers that provide the

Server Farm Basics

Main Farm Subnet1 Farm Subnet2 Farm

LinkProof Dispatch Methods

Least Traffic (in packets) Least Number of Users NT SNMP Parameters

User-Configurable SNMP Parameters Hashing

Response Time Load Balancing

RADWARE LinkProof LinkProof

LinkProof > Servers > Logic Routers Table > Create

Same Farm Name

Default Loadbalance Farm&Servers

Server Management - Weights

Server Management Operational Mode

Server Management Connection Limit

RADWARE LinkProof LinkProof

LinkProof 5.xx uses flow policies instead of Groupings (in

Flow 1 Use Subnet1 Farm

Flow 2 Use Subnet2 Farm

Flow Policy: Source = Subnet1 Flow = Subnet1 Farm

Flow Policy: Source = Subnet2 Flow = Subnet2 Farm

Flow Policies for Application

Web Flow: Use Web Farm

FTP Flow: Use FTP Farm

Flow Policies for Application

Flow Policy: HTTP Flow = Use Web Farm

Flow Policy: FTP Flow = Use FTP Farm

Little number will be executed first Especial Flow

LinkProof > Flow Management >Update Policies

Client Table CLI

RADWARE LinkProof LinkProof

NHR2 2.2.2.200 Local User

SmartNAT with 2.2.2.250

Static SmartNAT cont.

SmartNAT for Server = 2.2.2.20

NAT with 1.1.1.20

NAT with 1.1.1.21

NAT with 2.2.2.20

NAT with 1.1.1.21

No NAT Source Preserved

NAT with Address from 2.2.2.0

RADWARE LinkProof LinkProof

Classes > Modify Networks > Create

LinkProof > Classes >Update Policies

RADWARE LinkProof LinkProof