Upload
abp-technology
View
758
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Presentations 1 & 2 by Henry Lo, Technical Engineer of DrayTek and Henry Castillo, Technical Director of ABP Technology at DrayTek Training held 2/25/14 and 2/26/14 at ABP Technology. Sessions 1 & 2 include multi-WAN, LAN, VLAN, load balancing, route policy. Information on future DrayTek training events and webinars can be found at http://www.abptech.com/info/registration/draytek_info.html
Citation preview
Session 1 Enabling IP Connectivity
Henry&Lo&&Field&Application&Engineer
These&are&NOT&confidential&sessions&–&please&DO&consider&to&streaming,&blogging,&or&taking&pictures&
Multi-WANs LAN / VLAN
VPN Load-Balance/Route Policy
Multi-WANs LAN / VLAN
VPN Load-Balance/Route Policy
Outline
• Why&Need&Dual/Multi&WANs&• Multi&VLAN&Usage&• Supported&WAN&Interfaces&&• Internet&Access&Mode&• WAN&Budget&Limit&• Trouble&Shooting
Outline
• Why&Need&Dual/Multi&WANs&• Multi&VLAN&Usage&• Supported&WAN&Interfaces&&• Internet&Access&Mode&• WAN&Budget&Limit&• Trouble&Shooting
Why Need Dual/Multi WANs
• Load&Balance&• Good&Backup&• Multi&Service&
– Internet&– IPTV&– Management&– VoIP
Why Need Dual/Multi WANs
• Load!Balance
• 4&Mechanisms&for&WAN&Load&Balance&
-CAH,&cached&-BAL,&balanced&-DNS&-Policy
Why Need Dual/Multi WANs
Why need Dual/Multi WANs
• Good&Backup
Outline
• Why&Need&Dual/Multi&WANs&• Multi&VLAN&Usage&• Supported&WAN&Interfaces&&• Internet&Access&Mode&• WAN&Budget&Limit&• Trouble&Shooting
Multi VLAN Usage
Multi VLAN Usage
Multi VLAN Usage
Outline
• Why&Need&Dual/Multi&WANs&• Multi&VLAN&Usage&• Supported&WAN&Interfaces&&• Internet&Access&Mode&• WAN&Budget&Limit&• Trouble&Shooting
Supported WAN Interfaces
• Ethernet&WAN&(10/100/1000BaseQTx,)&• xDSL&&
– ADSL,&ADSL2/2+&– VDSL2&
• USB&3G/4G&dongle&• Fiber
Outline
• Why&Need&Dual/Multi&WANs&• Multi&VLAN&Usage&• Supported&WAN&Interfaces&&• Internet&Access&Mode&• WAN&Budget&Limit&• Trouble&Shooting
Internet Access Mode
• PPPoE/PPPoA&• MPoA&• Static&or&Dynamic&IP&• PPTP&or&L2TP&• 3G/4G&modem&PPP/DHCP&mode
Internet Access Mode
• IPv6&!
!
!
!
!
!
• How&to&Configure&WAN&for&IPv6&Service&– http://www.draytek.com.tw/index.php?option=com_k2&view=item&id=1809&Itemid=293&lang=en
Outline
• Why&Need&Dual/Multi&WANs&• Multi&VLAN&Usage&• Supported&WAN&Interfaces&&• Internet&Access&Mode&• WAN&Budget&Limit&• Trouble&Shooting
WAN Budget Limit
• Set&Budget&• Budge&Refresh&Time&• Action
• SMS/Mail&Alert&– Set&SMS/Mail&Object&and&Notification&Object
– Include&Notification&Object&into&SMS/Mail&Alert
WAN Budget Limit
Trouble Shooting
• Capture&online&status&page&• Capture&low&–wt&
– http://www.draytek.com.tw/index.php?option=com_k2&view=item&id=2060&Itemid=296&lang=en&
• Capture&WAN&packet&– http://www.draytek.com.tw/index.php?option=com_k2&view=item&id=2059&Itemid=296&lang=en&
• Capture&the&WAN&Setup&Page.
Multi-WANs LAN / VLAN
VPN Load-Balance/Route Policy
Outline
• Multi&LAN&Subnets/VLAN&- PortQBased&- TagQBased&- InterQLAN&Routing&
• LAN&Subnet&for&NAT/Routing&Usage&• Retrieve&DHCP&Lease&Periodically&• IP&Routed&Subnet
Outline
• Multi&LAN&Subnets/VLAN&- PortQBased&- TagQBased&- InterQLAN&Routing&
• LAN&Subnet&for&NAT/Routing&Usage&• Retrieve&DHCP&Lease&Periodically&• IP&Routed&Subnet
Multi LAN Subnets/VLAN
• The&initial&status
Multi LAN Subnets/VLAN
• PortQBased
• TagQBased
Multi LAN Subnets/VLAN
Multi LAN Subnets/VLAN• A&hybrid&example&- P1&in&LAN1&for&Administrator&management&
- P2,&P3,&P4&in&LAN2&for&3&Dept,&and&are&isolated&from&each&other&
- P5&in&LAN1&for&internal&server&
- P6&in&LAN3&for&Guest&usage
Multi LAN Subnets/VLAN
• Enable&LAN2,&LAN3
• Enable&InterQLAN&Routing
Outline
• Multi&LAN&Subnets/VLAN&- PortQBased&- TagQBased&- InterQLAN&Routing&
• LAN&Subnet&for&NAT/Routing&Usage&• Retrieve&DHCP&Lease&Periodically&• IP&Routed&Subnet&
NAT/Routing Usage
• Choose&NAT/Routing&for&LAN&Subnet&– LAN1&is&always&NATed&
Outline
• Multi&LAN&Subnets/VLAN&- PortQBased&- TagQBased&- InterQLAN&Routing&
• LAN&Subnet&for&NAT/Routing&Usage&• Retrieve&DHCP&Lease&Periodically&• IP&Routed&Subnet&
Retrieve DHCP Lease Periodically
• Retrieve&IP&only&from&Inactive&Clients&&- Active&when&available&IP&less&than&30&&- Send&ARP&Request&every&60&seconds&- Retrieve&IP&if&no&ARP&Reply&
Outline
• Multi&LAN&Subnets/VLAN&- PortQBased&- TagQBased&- InterQLAN&Routing&
• LAN&Subnet&for&NAT/Routing&Usage&• Retrieve&DHCP&Lease&Periodically&• IP&Routed&Subnet&
IP Routed Subnet
• LAN&PC&will&get&public&IP&Address&directly&&– No&NAT&will&be&applied
• Set&Start&IP/Pool&• Set&LAN&Port/Bind&MAC
Multi-WANs LAN / VLAN
VPN Load-Balance/Route Policy
Outline
• Supported&VPN&Protocol&• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&• Special&VPN&Application&
Outline
• Supported&VPN&Protocol&• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&• Special&VPN&Application&
Supported VPN Protocol
• PPTP&(TCP&1723)&• L2TP&(UDP&1701)&• IPsec&(UDP&500)&• L2TP&over&IPsec&• SSL&VPN&(TCP&443)&• mOTP&!
How Many VPN Tunnel does Vigor Support
Vigor!Model !IPsec/PPTP/L2TP SSL
Vigor2110 2 N/A
Vigor2130 2 N/A
Vigor2912 16 N/A
Vigor2920 32 N/A
Vigor2925 25 25
Vigor2930 100 30
Vigor2950 200 10
Vigor2960 200 20
&&&&&&&&&&&&Vigor3200&Series 64 10
&&&&&&&&&&&&Vigor3300&Series 200 NA
Vigor3900 500&(PPTP/L2TP&200) 20
How Many VPN Tunnel does Vigor Support
Vigor!Model IPsec/PPTP/L2TP SSL
Vigor2710 2 N/A
Vigor2760 2 N/A
Vigor2830 32 10
Vigor2850 32 10
Vigor2860 32 10
Outline
• Supported&VPN&Protocol&• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&• Special&VPN&Application&
Outline• Supported&VPN&Protocol&
• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&
- LAN&To&LAN&- Host&To&LAN&- SSL&VPN&- VPN&Trunk&
• Special&VPN&Application&
Outline• Supported&VPN&Protocol&
• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&
- LAN&To&LAN&- Host&To&LAN&- SSL&VPN&- VPN&Trunk&
• Special&VPN&Application&
LAN to LAN
172.17.1.0/24 192.168.1.0/24
• Remote&Office&• Dial&Out&!
• Main&Office&• Dial&In&!
• Use&with&caution!Only&this&remote&IP&will&be&eligible!&
• Drop&the&rests&!
Outline• Supported&VPN&Protocol&
• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&
- LAN&To&LAN&- Host&To&LAN&- SSL&VPN&- VPN&Trunk&
• Special&VPN&Application&
Host to LAN
• Client&site&OS&could&be&– Windows&(may&use&Smart&VPN&
client)&– Mac&OS/iOS&– Android&– Ubuntu&
Outline• Supported&VPN&Protocol&
• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&
- LAN&To&LAN&- Host&To&LAN&- SSL&VPN&- VPN&Trunk&
• Special&VPN&Application&
VPN Trunk-Load Balance
VPN Trunk-Backup
Outline
• Supported&VPN&Protocol&• How&Many&Tunnels&does&Vigor&Support&• VPN&Application&• Special&VPN&Application&
Outline• Supported&VPN&Protocol&
• How&Many&Tunnels&does&Vigor&Support&
• VPN&Application&• Special&VPN&Application&
- Change&Default&Route&to&this&VPN&Tunnel&- Apply&VPN&Tunnel&into&L/B&Policy&- VPN&Backup&when&Specified&WAN&Drops&- Packets&Trigger&to&Establish&the&VPN&Tunnel&- Add&more&Network&into&Phase&2&SA&
Change Default Route to VPN tunnel
• Enable&VPN&default&route&• Go&via&VPN&tunnel&for&
localized&service
Apply VPN Tunnel as Interface for L/B Policy
• How&to&Use&LoadQBalance/Route&Policyhttp://www.draytek.com.tw/index.php?option=com_k2&view=item&id=5181&Itemid=293&lang=en
VPN Backup when Specified WAN Down
Add More Network into Phase2 SA
Multi-WANs LAN / VLAN
VPN Load-Balance/Route Policy
Outline
• How&does&it&Work&– When&matching&criteria,&send&via&the&route&
• What&does&it&Do&– 2&real&usage&examples&
• Trouble&Shooting&– Ping&/&Trace&Route&
• Application&Note
Outline
• How&does&it&Work&– When&matching&criteria,&send&via&the&route&
• What&does&it&Do&– 2&real&usage&examples&
• Trouble&Shooting&– Ping&/&Trace&Route&
• Application&Note
How does it Work (1/3)
• Set&Criteria&- Protocol&- Source&IP&- Dest&IP&- Dest&Port&
• Set&the&Route&- Interface&- Gateway&- NAT&or&Routing
How does it Work (2/3)
• Protocol&- TCP&- UDP&- ICMP&
• Source&IP&• Dest&IP&• Dest&Port
• Interface&- WAN/Virtual&WAN&- LAN&- VPN&
• Gateway&- Default&- Specified&
• Do&NAT&or&Routing&- NAT&is¬&applicable&for&LAN&and&VPN
How does it Work (3/3)
Outline
• How&does&it&Work&– When&matching&criteria,&send&via&the&route&
• What&does&it&Do&– 2&real&usage&examples&
• Trouble&Shooting&– Ping&/&Trace&Route&
• Application&Note
What does it Do
• Choose&VPN&tunnel&for&certain&destinations(Jump)&– Surf&facebook&– Watch&Netflix&
• Choose&WAN&interface&for&certain&destinations&– WAN1&for&Public&VoIP&and&data,&NAT&– WAN5&for&Private&VoIP,&Routing
What does it Do
• Choose&VPN&tunnel&for&certain&destinations(Jump)&– Surf&facebook&– Watch&Netflix&
• Choose&WAN&interface&for&certain&destinations&– WAN1&for&Public&VoIP&and&data,&NAT&– WAN5&for&Private&VoIP,&Routing
VPN to Remote Server
• Scenario&• Find&the&Destination&IP&Range&• Configuration&• Confirm&the&Routing
Scenario
• Go&via&VPN&tunnel&for&Netflix&and&facebook
Find the Destination IP Range
• ping&/&nslookup
• whois
Configuration
• Dest&IP&• Interface
Confirm the Routing
• Use&tracert&/&traceroute&to&confirm&routing
• First&Hop:&LAN&Gateway&• Second&Hop:&VPN&Gateway&
What does it Do
• Choose&VPN&tunnel&for&certain&destinations(Jump)&– Surf&facebook&– Watch&Netflix&
• Choose&WAN&interface&for&certain&destinations&– WAN1&for&Public&VoIP&and&data,&NAT&– WAN5&for&Private&VoIP,&Routing
WAN5 for Private VoIP
• Scenario&• Rules&Overview&• Configuration&
– Public&server&via&WAN1&– DNS&via&WAN1&– Private&server&via&WAN5&
• Confirm&the&Routing
Scenario
INTERNET
Private
• LAN1&for&PC&
• LAN2&for&IP&Phones&
• Data&via&WAN1&
IP Phones
SIP / PPBX
10.20.10.1/24
PVC1
• VoIP&to&Public&Server&via&WAN1&- May&require&DNS&lookup
• VoIP&to&Private&Server&via&WAN5&
External SIP Server!iptel.org!
217.9.36.145!
Internal SIP Server!Vigor2820 IPPBX!
192.168.11.1!
PVC1, WAN1 : 111.248.121.156 Gateway: 168.95.98.254
PVC2, WAN5 : 192.168.11.13 Gateway: 192.168.11.1
LAN 1 / NAT!
PC 1A!192.168.1.1/24
PVC1
PVC2
Rules Overview
• VoIP&to&Public&Server&via&WAN1,&NAT
• DNS&lookup&via&WAN1,&NAT
• VoIP&to&Private&Server&via&WAN5,&Routing
• Unspecified&traffics&via&WAN1,&NAT
External Server via WAN1
• Source&IP&– IP&phones
• Dest&IP&– Iptel.org
• Interface&– WAN1
• Force&NAT
DNS via WAN1
• DNS&&– UDP&53
• Interface&&– WAN1
• Force&NAT
Private Server via WAN5
• Source&IP&– IP&phones
• Dest&IP&– Any&except&iptel
• Interface&– WAN5
• Routing
Confirm the Routing
• LAN1&PC&tracert&/&traceroute&to&8.8.8.8
• LAN2&IP&phone&tracert&/&traceroute&to&8.8.8.8&
• LAN2&IP&phone&traceroute&to&another&IP&phone&
Trouble Shooting
• Use&ping&/&tracert&to&confirm&the&routing&• Respect&the&first&matched&ruleIgnore&the&rests&
• Firewall&>&InterQLAN&routing&>&LoadQBalance/Route&Policy&>&Static&Route
Application Note
• How&to&use&LoadQBalance/Route&Policy?&– http://www.draytek.com.tw/index.php?option=com_k2&view=item&id=5181&Itemid=293&lang=en