Xtera Communications, Inc. Assumes no responsibility for its use or for of any infringements of patents or other rights of third parties which may result from its use. All product names and services identified in this documentation are trademarks or registered trademarks of their respective companies. AscenLink is a network device that combines the features of WAN load balancing, link fault tolerance, multihoming, bandwidth management, and firewall into an integrated unit.
Xtera Communications, Inc. Assumes no responsibility for its use or for of any infringements of patents or other rights of third parties which may result from its use. All product names and services identified in this documentation are trademarks or registered trademarks of their respective companies. AscenLink is a network device that combines the features of WAN load balancing, link fault tolerance, multihoming, bandwidth management, and firewall into an integrated unit.
Xtera Communications, Inc. Assumes no responsibility for its use or for of any infringements of patents or other rights of third parties which may result from its use. All product names and services identified in this documentation are trademarks or registered trademarks of their respective companies. AscenLink is a network device that combines the features of WAN load balancing, link fault tolerance, multihoming, bandwidth management, and firewall into an integrated unit.
User Manual II Information contained in this document is believed to be accurate and reliable. However, Xtera Communications, Inc. assumes no responsibility for its use or for of any infringements of patents or other rights of third parties which may result from its use. Xtera Communications, Inc. shall reserve the right that product specifications are subject to change and update without notice. All product names and services identified in this documentation are trademarks or registered trademarks of their respective companies and shall be used throughout this documentation in editorial fashion only for the benefit of such companies. No such use, or the use of any trade name, is intended to convey an endorsement or other affiliation with Xtera Communications, Inc. Copyright 2008, Xtera Communications, Inc. All rights reserved worldwide. This manual or any part of this document shall not be reproduced by any means and translated to any electronic medium without the written consent of Xtera Communications, Inc. Document Number: AL-CP001-0330E Document Revision: EN 5.4-B080509 Copyright 2008 IP Division, Xtera Communications, Inc. www.xtera-ip.com AscenLink User Manual III Preface AscenLink is a network device that combines the features of WAN load balancing, link fault tolerance, multihoming, bandwidth management, and firewall into an integrated unit to maximize the performance and reliability potentials of the broadband Internet setup. AscenLink is a part of Xtera Network Management Product Family. The goal of the Network Management Product Family is to provide an outstanding environment for a well-managed network. It includes three main product lines: AscenCache, a network cache server; AscenLink, a broadband integration management device; and AscenGate, a content filtering device. AscenLink is suitable for networks with multiple access lines to the internet. It uses load balancing features as a result users can direct packets to various routes or specified links for outbound internet traffic by means of Auto Routing. If a link fails, AscenLink has a unique fault tolerance system that can instantaneously detect the failure and dynamically divert packet route to prevent traffic from using that link. However when there are public websites occupying internal network of a corporation, fault tolerance is insufficient to maintain uptime. This is where AscenLinks proprietary SwiftDNS technology comes in by applying the results of DNS queries to achieve the function of multihoming. These combined features will ensure websites maintenance, continuous uptimes and uninterrupted services. The flexibility of the Bandwidth Management (BM) is a key feature of AscenLink and fulfills all management needs. It can be set to target a particular protocol such as FTP, HTTP, or to target a particular time period (e.g., peak hours) by variably adjusting the size of bandwidth quota, which improves the network QoS AscenLink
User Manual IV (Quality of Service). AscenLink also makes provisions for network security with the features of Firewall and DMZ (Demilitarized Zone). These features will be able to prevent malicious attacks and invasions coming from the external environment. AscenLink is highly flexible and ideally suited for a wide range of businesses: from small to mid-size businesses to schools and enterprises, ISP, etc. It can easily fit into any environment with its easy-to-use administration interface. AscenLink is a comprehensive set of tools that can handle even the most demanding network environments. AscenLink User Manual V How To Use This Manual This manual consists of six chapters introducing AscenLinks essential functions and the range of applications. Chapter 1 is a basic overview. It introduces the user to basic network structures and hardware installation relevant to AscenLink. It also covers basic system configuration including the web-admin user interface and console interface. Chapters 2 to 5 each individually explain a specific feature of the product. Each chapter covers one featured functionality and its configuration settings. Examples are also used for further illustrations. Chapter 6 discusses the application range. It gives more detailed explanations on commonly used functions. The appendix explains the command-set available in the console. It also covers how to update AscenLink when new firmware versions become available with a step-by-step walk-thru for the update as well as explanations on various error message recourse actions. When writing this manual it is implied that the user possess sufficient knowledge in basic network administration such as TCP/IP, Public IP, Private IP, subnets, routers, and various common Internet services, namely SSH, POP3, SMTP, FTP, etc. AscenLink User Manual
I Table of Content Chapter 1 Quick Start ............................................................................................1-4 1.1 Preparation........................................................................................................1-4 1.2 Access to the Web-based UI.............................................................................1-6 1.3 AscenLink Web-based UI Overview..................................................................1-8 1.4 How to use AscenLink Web-based UI.............................................................1-10 1.4.1 AscenLink Operating Menu................................................................1-10 1.4.2 AscenLink Rule/Filter/Policy Table.....................................................1-12 1.4.3 Languages .........................................................................................1-14 1.5 Basic Network Settings ...................................................................................1-15 1.5.1 WAN Interface Configuration.............................................................1-15 1.5.2 LAN Interface Configuration...............................................................1-21 1.6 Typical Network Architecture with Multiple WAN Links ...................................1-24 1.7 Public IP Address Pass-Through....................................................................1-30 1.7.1 Use the Existing Firewall with AscenLink...........................................1-31 1.8 Hardware Installation.......................................................................................1-32 1.8.1 How to rack-mount your AscenLink...................................................1-32 1.8.2 Connecting AscenLink to other network devices...............................1-32 1.9 AscenLink in HA (High Availability) Mode........................................................1-33 1.9.1 Installing AscenLink in HA mode........................................................1-33 1.9.2 HA Setting..........................................................................................1-34 Chapter 2 System..................................................................................................2-5 2.1 Summary.................................................................................................... 2-6 2.2 Network Setting.................................................................................................2-8 2.2.1 DNS Server .....................................................................................2-10 2.2.2 VLAN and Port Mapping..................................................................2-12 2.2.3 WAN Setting....................................................................................2-19 2.2.4 WAN/DMZ Private Subnet...............................................................2-39 2.2.5 LAN Private Subnet.........................................................................2-49 2.3 WAN Link Health Detection.............................................................................2-56 2.4 Optimum Route Detection...............................................................................2-58 Content II
III 4.5 Dymatic IP WAN Link......................................................................................4-13 4.6 DHCP Lease Info ............................................................................................4-15 4.7 RIP & OSPF Status .........................................................................................4-17 4.8 Tunnel Status...................................................................................................4-19 4.9 Tunnel Traffic...................................................................................................4-21 4.10 Connection Limit............................................................................................4-22 4.11 Port Information.............................................................................................4-24 4.12 Virtual Server Status......................................................................................4-25 Chapter 5 Log ........................................................................................................5-4 5.1 View .................................................................................................................5-5 5.2 Control...............................................................................................................5-7 5.3 Notification.......................................................................................................5-10 5.4 Link Report......................................................................................................5-12 Chapter 6 Deployment Scenarios........................................................................6-3 6.1 Various WAN Types and Scenarios ..................................................................6-3 6.1.1 WAN Type: Bridge Mode with One Static IP ........................................6-3 6.1.2 WAN Type: Routing Mode....................................................................6-7 6.2 Exploring Auto Routing....................................................................................6-17 6.2.1 Advantages of Auto Routing...............................................................6-18 6.2.2 AscenLink Fault Tolerance Mechanism.............................................6-20 6.2.3 Persistent Routing and Auto Routing.................................................6-23 6.3 Various Auto Routing Mechanisms .................................................................6-24 6.4 Virtual Server...................................................................................................6-26 6.5 Multihoming.....................................................................................................6-27 6.6 Introduction to DNS.........................................................................................6-30 6.7 High Availability (HA) Scenarios......................................................................6-34 6.7.1 Firmware Update Procedure in HA Deployment................................6-34 6.7.2 HA Fallback to Single Unit Deployment.............................................6-36 Appendix Appendix A.1 Default Values.................................................................................. A-2 Appendix A.2 Console Mode Commands .............................................................. A-5 Appendix A.3 Firmware Update ........................................................................... A-10 Appendix A.4 Configuration File........................................................................... A-12 Content IV
Figure Figure 1.1 Cancel the Proxy Setting....................................................................... 1-7 Figure 1.2 AscenLink web-based UI Operating Menu Items................................ 1-10 Figure 1.3 Configuring the WAN Interface in a Simple Network Environment..... 1-15 Figure 1.4 VLAN Port Mapping............................................................................. 1-16 Figure 1.5 Basic Setting........................................................................................ 1-18 Figure 1.6 Basic Subnet Setting........................................................................... 1-20 Figure 1.7 Basic Subnet Settings ......................................................................... 1-23 Figure 1.8 Network Architecture with Multiple WAN Links.................................... 1-24 Figure 1.9 Multiple WAN Links Example: VLAN and Port Mapping..................... 1-25 Figure 1.10 Multiple WAN Links Example: WAN Link 1....................................... 1-26 Figure 1.11 Multiple WAN Links Example: WAN Link 2........................................ 1-27 Figure 1.12 Multiple WAN Links Example: WAN Link 2....................................... 1-28 Figure 1.13 Multiple WAN Links Example: LAN Private Subnet........................... 1-29 Figure 1.14 Public IP Address Pass-Through....................................................... 1-30 Figure 1.15 Use the Existing Firewall with AscenLink.......................................... 1-31 Figure 1.16 Racking-mount your AscenLink......................................................... 1-32 Figure 1.17 HA Console Port................................................................................ 1-33 Figure 2.1 The Location of System/Summary on the Menu Bar.......................... 2-5 Figure 2.2 The Location of System/Network Setting on the Menu Bar................ 2-8 Figure 2.3 The Location of DNS Server on the Menu Bar ................................. 2-10 Figure 2.4 The Location of VLAN and Port Mapping on the Menu Bar.............. 2-12 Figure 2.5 VLAN Switch and AscenLink............................................................... 2-13 Figure 2.6 LAN and DMZ HA Deployment Sample.............................................. 2-14 Figure 2.7 UI configuration for Redundant LAN/DMZ Port................................... 2-15 Figure 2.8 Support Switch HA.............................................................................. 2-16 Figure 2.9 Settings for Switch HA Support........................................................... 2-17 Figure 2.10 LAN Private Subnet Settings for Switch HA Support........................ 2-18 Figure 2.11 The Location of WAN Setting on the Menu Bar.............................. 2-19 Figure 2.12 WAN Setting / Basic Setting.............................................................. 2-20 Figure 2.13 Types of Basic Subnets..................................................................... 2-23 Figure 2.14 Types of Static Routing Subnet......................................................... 2-23 AscenLink User Manual
V Figure 2.15 Subnet in WAN of Basic Subnet........................................................2-24 Figure 2.16 Subnet in WAN Setting of Basic Subnet............................................2-25 Figure 2.17 Subnet in DMZ of Basic Subnet.........................................................2-26 Figure 2.18 Subnet in DMZ Setting of Basic Subnet ............................................2-27 Figure 2.19 Subnet in WAN and DMZ of Basic Subnet........................................2-28 Figure 2.20 Subnet in WAN and DMZ Setting in Basic Subnet............................2-29 Figure 2.21 Subnet on Localhost of Basic Subnet................................................2-30 Figure 2.22 Subnet on Localhost Setting of Basic Subnet....................................2-30 Figure 2.23 Subnet in WAN of Static Routing Subnet...........................................2-31 Figure 2.24 Subnet in WAN Setting of Static Routing Subnet ..............................2-31 Figure 2.25 Subnet in DMZ of Static Routing Subnet...........................................2-32 Figure 2.26 Subnet in DMZ Setting of Static Routing Subnet...............................2-32 Figure 2.27 Bridge Mode: One Static IP................................................................2-33 Figure 2.28 Bridge Mode: One Static IP Setting...................................................2-34 Figure 2.29 Bridge Mode: Multiple Static IP..........................................................2-35 Figure 2.30 Bridge Mode: Multiple Static IP Setting..............................................2-36 Figure 2.31 Bridge Mode: PPPoE Setting.............................................................2-37 Figure 2.32 Bridge Mode: DHCP Client Setting....................................................2-38 Figure 2.33 The Location of WAN/DMZ Private Subnet on the Menu Bar.........2-39 Figure 2.34 Types of Subnets in WAN/DMZ.........................................................2-40 Figure 2.35 Types of Subnets in Static Routing Subnet........................................2-40 Figure 2.36 Subnet in WAN of Basic Subnet in WAN/DMZ..................................2-41 Figure 2.37 Subnet in WAN Setting of Basic Subnet in WAN/DMZ......................2-41 Figure 2.38 Subnet in DMZ of Basic Subnet in WAN/DMZ...................................2-42 Figure 2.39 Subnet in DMZ Setting of Basic Subnet in WAN/DMZ......................2-43 Figure 2.40 Subnet in WAN/DMZ of Basic Subnet in WAN/DMZ.........................2-44 Figure 2.41 Subnet in WAN/DMZ Setting of Basic Subnet in WAN/DMZ.............2-45 Figure 2.42 Subnet on Localhost of Basic Subnet in WAN/DMZ..........................2-46 Figure 2.43 Subnet on Localhost Setting of Basic Subnet in WAN/DMZ..............2-46 Figure 2.44 Subnet in WAN of Static Routing Subnet in WAN/DMZ.....................2-47 Figure 2.45 Subnet in WAN Setting of Static Routing Subnet in WAN/DMZ........2-47 Figure 2.46 Subnet in DMZ of Static Routing Subnet in WAN/DMZ.....................2-48 Figure 2.47 Subnet in DMZ Setting of Static Routing Subnet in WAN/DMZ.........2-48 Figure 2.48 The Location of LAN Private Subnet on the Menu Bar ...................2-49 Content VI
Figure 2.49 LAN Private Subnet / Basic Subnet................................................... 2-50 Figure 2.50 LAN Private Subnet / Basic Subnet Setting...................................... 2-51 Figure 2.51 LAN Private Subnet/ RIP Configuration............................................ 2-52 Figure 2.52 LAN Private Subnet/ OSPF Setting................................................... 2-53 Figure 2.53 LAN Private Subnet / Static Routing Subnet..................................... 2-55 Figure 2.54 LAN Private Subnet / Static Routing Subnet Setting......................... 2-55 Figure 2.55 The Location of System/WAN Link Health Detection on Menu Bar 2-56 Figure 2.56 The Location of System/ Optimum Route Detection on Menu Bar. 2-58 Figure 2.57 The Location of System/Port Speed Duplex Setting on Menu Bar. 2-61 Figure 2.58 The Location of System/Backup Line Setting on the Menu Bar ..... 2-63 Figure 2.59 The Location of System/IP Grouping on the Menu Bar.................. 2-65 Figure 2.60 The Location of System/Service Grouping on the Menu Bar.......... 2-67 Figure 2.61 Service Grouping............................................................................... 2-68 Figure 2.62 The Location of System/Busyhour Setting on the Menu Bar.......... 2-69 Figure 2.63 A Busy-hour Setting Example............................................................ 2-70 Figure 2.64 The Location of System/Diagnostic Tools on the Menu Bar........... 2-72 Figure 2.65 The Location of System/Date/Time on the Menu Bar..................... 2-76 Figure 2.66 The Location of System/Administration on the Menu Bar............... 2-77 Figure 2.67 The Location of System/Administration on the Menu Bar............... 2-78 Figure 3.1 The Location of Service on the Menu Bar........................................... 3-8 Figure 3.2 The Location of Service/Firewall on the Menu Bar............................. 3-9 Figure 3.3 Network Architecture for Firewall Service ........................................... 3-12 Figure 3.4 Network Architecture for Firewall Service 2........................................ 3-13 Figure 3.5 The Location of Service /NAT on the Menu Bar................................ 3-15 Figure 3.6 The Settings of NAT Rules .................................................................. 3-17 Figure 3.7 NAT Setting.......................................................................................... 3-17 Figure 3.8 Network Architecture for No-NAT ........................................................ 3-18 Figure 3.9 The Location of Service /Persistent Routing on the Menu Bar......... 3-19 Figure 3.10 Network Architecture for Persistent Routing 1.................................. 3-22 Figure 3.11 Network Architecture for Persistent Routing 2................................... 3-23 Figure 3.12 The Location of Service /Auto Routing on the Menu Bar................ 3-25 Figure 3.13 Network Architecture for Auto Routing 1........................................... 3-29 Figure 3.14 Network Architecture for Auto Routing 2........................................... 3-31 Figure 3.15 Network Architecture for Auto Routing Example 3............................ 3-35 AscenLink User Manual
VII Figure 3.16 The Location of Service/Virtual Server on the Menu Bar................3-40 Figure 3.17 Network Architecture for Virtual Server 1...........................................3-43 Figure 3.18 Network Architecture for Virtual Server 2...........................................3-45 Figure 3.19 The Location of Service/Inbound BM on the Menu Bar ..................3-47 Figure 3.20 The Screenshot of Inbound BM Classes ...........................................3-48 Figure 3.21 Network Architecture for Inbound BM 1.............................................3-51 Figure 3.22 Network Architecture for Inbound BM 2.............................................3-53 Figure 3.23 The Location of Service /Outbound BM on the Menu Bar...............3-56 Figure 3.24 Network Architecture for Outbound BM 1..........................................3-59 Figure 3.25 Network Architecture for Outbound BM 2..........................................3-61 Figure 3.26 The Location of Service /Connection Limit on the Menu Bar..........3-63 Figure 3.27 The Screenshot of Connection Limit..................................................3-64 Figure 3.28 Example of Connection Limit.............................................................3-65 Figure 3.29 The Location of Service /Cache Redirect on the Menu Bar............3-66 Figure 3.30 The Settings of Cache Redirect.........................................................3-67 Figure 3.31 Sequence of the Requests and Responses in Cache Miss Case...3-69 Figure 3.32 Sequence of the Requests and Responses in Cache Hit Case......3-70 Figure 3.33 The Location of Service /Tunnel Routing on the Menu Bar.............3-71 Figure 3.34 Example 2 of Tunnel Routing.............................................................3-82 Figure 3.35 Example 3 of Tunnel Routing.............................................................3-85 Figure 3.36 Example 4 of Tunnel Routing.............................................................3-89 Figure 3.37 The Location of Service / Multihoming on the Menu Bar ................3-95 Figure 3.38 Global Setting in Multihoming Policy.................................................3-97 Figure 3.39 The Settings of Multihoming Policy....................................................3-98 Figure 3.40 Domain Setting................................................................................3-100 Figure 3.41 Enable Relay in Multihoming Policy.................................................3-101 Figure 3.42 Multihoming Example 1: Network Architecture................................3-102 Figure 3.43 Multihoming Example 2: Network Architecture................................3-104 Figure 3.44 The Location of Service / Internal DNS on the Menu Bar .............3-107 Figure 3.45 The Location of Service / SNMPon the Menu Bar.........................3-109 Figure 3.46 The Location of Service / IP-MAC MAPPING on the Menu Bar.... 3-111 Figure 4.1 Statistics.................................................................................................4-4 Figure 4.2 Statistics/Traffic......................................................................................4-5 Figure 4.3 Statistics/BM...........................................................................................4-7 Content VIII
Figure 4.4 Statistics/Persistent Routing.................................................................. 4-9 Figure 4.5 Statistics/WAN Link Health Detection...................................................4-11 Figure 4.6 Statistics/Dynamic IP WAN Link.......................................................... 4-13 Figure 4.7 Statistics/DHCP Lease Info................................................................ 4-15 Figure 4.8 Statistics/RIP & OSPF Status.............................................................. 4-17 Figure 4.9 Statistics/Tunnel Status ....................................................................... 4-19 Figure 4.10 Statistics/Tunnel Traffic...................................................................... 4-21 Figure 4.11 Statistics/Connection Limit................................................................. 4-22 Figure 4.12 Statistics/Port Information.................................................................. 4-24 Figure 4.13 Statistics/Virtual Server Status........................................................... 4-25 Figure 5.1 The Location of Log and its Function on the Menu Bar ........................ 5-4 Figure 5.2 The Location of Log/View Page Menu Bar............................................ 5-5 Figure 5.3 The Location of Log/Control Page on the Menu Bar............................. 5-7 Figure 5.4 The Location of Log/Notification Page on the Menu Bar..................... 5-10 Figure 5.5 Notification Setting................................................................................5-11 Figure 5.6 The Location of Log/LinkReport Page on the Menu Bar..................... 5-12 Figure 5.7 LinkReport Fields................................................................................. 5-13 Figure 6.1 Bridge Mode: One Static IP ................................................................ 6-4 Figure 6.2 WAN Type: Routing Mode .................................................................. 6-7 Figure 6.3 Private Subnet Between WAN Router and AscenLink ..................... 6-10 Figure 6.4 Multiple WAN Links in Routing Mode ............................................... 6-13 Figure 6.5 By-pass a Broken Link Manually...................................................... 6-19 Figure 6.6 By-pass a Broken Link using Auto Routing...................................... 6-20 Figure 6.7 Switch to Fail-over Policy on Fixed Routing Policy........................... 6-21 Figure 6.8 Typical Connections in a Multihoming Environment......................... 6-27 Figure 6.9 Multihoming Example ....................................................................... 6-33 AscenLink User Manual
IX Table Table 1.1 Buttons................................................................................................... 1-11 Table 1.2 Operating Rules.....................................................................................1-12 Table 1.3 Checkbox...............................................................................................1-13 Table 1.4 Local LAN Setting..................................................................................1-21 Table 1.5 DHCP Server Setting.............................................................................1-22 Table 1.6 The Cable Type for Connecting AscenLink to Other Network Devices.1-32 Table 2.1 System Information..................................................................................2-6 Table 2.2 Peer Information......................................................................................2-6 Table 2.3 Optional Functions Information................................................................2-7 Table 2.4 VLAN Tag and AscenLink Port Mapping................................................2-13 Table 2.5 Field description for the Redundant Port configuration.........................2-15 Table 2.6 Basic Setting Table in Routing Mode.....................................................2-22 Table 2.7 OSPF Settings Table.............................................................................2-54 Table 2.8 Static IP table setting of Optimum Route Detection...............................2-59 Table 2.9 Dynamic detection setting of Optimum Route Detection.......................2-60 Table 2.10 Port Speed/Duplex Setting..................................................................2-62 Table 2.11 Threshold Parameters .........................................................................2-64 Table 2.12 Backup Line Rules...............................................................................2-64 Table 2.13 IP Grouping..........................................................................................2-66 Table 2.14 Rules Setting of IP Grouping...............................................................2-66 Table 2.15 Busy-hour Setting................................................................................2-70 Table 2.16 Central Management Setting...............................................................2-77 Table 2.17 Administration Password Setting.........................................................2-79 Table 2.18 Monitor Password Setting....................................................................2-80 Table 3.1 The Description of the Fields on Firewall Page..................................... 3-11 Table 3.2 Firewall Settings of Example 1..............................................................3-12 Table 3.3 Firewall Settings Example 2..................................................................3-14 Table 3.4 The Description of the Fields on the NAT Page....................................3-16 Table 3.5 The Description of the Fields on the Persistent Routing Page..............3-21 Table 3.6 The Settings for Persistent Routing Example 1.....................................3-23 Table 3.7 The Settings for Persistent Routing Example 2.....................................3-24 Content X
Table 3.8 The Description of the Fields in the Auto Routing Policy Table............ 3-27 Table 3.9 The Description of the Fields in the Auto Routing Filter Table.............. 3-28 Table 3.10 The Settings for Auto Routing Example 1: Policies ............................ 3-30 Table 3.11 The Settings for Auto Routing Example 1: Filters ............................... 3-31 Table 3.12 The Settings for Auto Routing Example 2: Policies ............................ 3-32 Table 3.13 The Settings for Auto Routing Example 2: Filters............................... 3-34 Table 3.14 WAN link information of Auto Routing Example 3............................... 3-35 Table 3.15 Auto Routing:Tunnel Routing Log Setting (San J ose Headquarters) . 3-36 Table 3.16 Auto Routing: Tunnel Group Setting (San J ose Headquarters).......... 3-36 Table 3.17 Auto Routing: Routing Rules Setting (San J ose Headquarters)......... 3-36 Table 3.18 Auto Routing:Auto Routing Policies Setting (San J ose HQs)............. 3-36 Table 3.19 Auto Routing:Auto Routing Filters Setting (San J ose Headquarters). 3-36 Table 3.20 Auto Routing:Tunnel Routing Log Setting (Shanghai Office) ............ 3-37 Table 3.21 Auto Routing Example: Tunnel Group Setting (Shanghai Office)....... 3-37 Table 3.22 Auto Routing Example: Routing Rules Setting (Shanghai Office) ...... 3-38 Table 3.23 Auto Routing:Auto Routing Policies Setting (Shanghai Office) ........ 3- 38 Table 3.24 Auto Routing:Auto Routing Filters Setting (Shanghai Office) ............. 3-38 Table 3.25 The Description of the Fields on Vitual Server Page.......................... 3-42 Table 3.26 The Settings for Virtual Server Example 1.......................................... 3-44 Table 3.27 The Settings for Virtual Server Example 2.......................................... 3-46 Table 3.28 The Description of the Fields in the Inbound BM Class Table............ 3-49 Table 3.29 The Description of the Fields in the Inbount BM Filter Table.............. 3-50 Table 3.30 The Settings for Inbound BM Example 1: Classes ............................. 3-52 Table 3.31 The Settings for Inbound BM Example 1: Filters ................................ 3-52 Table 3.32 The Settings for Inbound BM Example 2: Classes ............................. 3-54 Table 3.33 The Settings for Inbound BM Example 2: Filters ................................ 3-55 Table 3.34 The Description of the Fields in the Outbound BM Class Table......... 3-57 Table 3.35 The Description of the Fields in the Outbound BM Filter Table.......... 3-59 Table 3.36 The Settings for Outbound BM Example 1: Classes .......................... 3-60 Table 3.37 The Settings for Outbound BM Example 1: Filters ............................. 3-60 Table 3.38 The Settings for Outbound BM Example 2: Classes .......................... 3-62 Table 3.39 The Settings for Outbound BM Example 2: Filters ............................. 3-62 Table 3.40 The Settings of Connection Limit Log Interval .................................... 3-64 Table 3.41 The Settings of Connection Limit Rules.............................................. 3-65 AscenLink User Manual
XI Table 3.42 The Description of the Fields in Cache Group....................................3-67 Table 3.43 The Description of the Fields in Redirect Rules ..................................3-68 Table 3.44 Description of Tunnel Route Log and Local Host ID...........................3-73 Table 3.45 The Description of the Fields in Tunnel Group....................................3-75 Table 3.46 The Description of the Fields in Routing Rules ...................................3-75 Table 3.47 The Description of the Fields in Persistent Rules................................3-76 Table 3.48 The Description of the Fields in Benchmark........................................3-77 Table 3.49 The Description of the Testing Page....................................................3-77 Table 3.50 Example of Tunnel Routing.................................................................3-78 Table 3.51 The Settings for Tunnel Routing Example 1: Tunnel Groups..............3-78 Table 3.52 The Settings for Tunnel Routing Example 1 : Routing Rules..............3-79 Table 3.53 The Settings for Tunnel Routing Example 2 : Tunnel Group...............3-79 Table 3.54 The Settings for Tunnel Routing Example 2 : Routing Rules..............3-79 Table 3.55 The Settings for Tunnel Routing Example 3 : Tunnel Group...............3-80 Table 3.56 The Settings for Tunnel Routing Example 3 : Routing Rules..............3-80 Table 3.57 The Settings for Tunnel Routing Example : Inbound BM Filter...........3-81 Table 3.58 The Settings for Tunnel Routing Example : Outbound BM Filter ........3-81 Table 3.59 TR Example 2: WAN LinkIinformation.................................................3-82 Table 3.60 TR Example 2: Settings of Log and Local Host ID (Beijing)................3-83 Table 3.61 TR Example 2: Tunnel Group Settings in Beijing Headquarters .........3-83 Table 3.62 TR Example 2: Routing Rules in Beijing Headquarters.......................3-83 Table 3.63 TR Example 2: Settings of Log and Local Host ID (Shanghai) ...........3-83 Table 3.64 TR Example 2: Tunnel Group Settings in Shanghai Office.................3-84 Table 3.65 TR Example 2: Routing Rules in Shanghai Office...............................3-84 Table 3.66 TR Example 3: WAN Link Information.................................................3-85 Table 3.67 TR Example 3: Settings of Log and Local Host ID (San J ose) ...........3-86 Table 3.68 TR Example 3: Tunnel Group Settings in San J ose Headquarters.....3-86 Table 3.69 TR Example 3: Routing Rules in San J ose Headquarters ..................3-87 Table 3.70 TR Example 3: Settings of Log and Local Host ID (Beijing)................3-87 Table 3.71 TR Example 3: Tunnel Group Settings in Beijing Branch Office.........3-87 Table 3.72 TR Example 3: Routing Rules in Beijing Branch Office.......................3-87 Table 3.73 TR Example 3: Settings of Log and Local Host ID (Hong Kong) ........3-88 Table 3.74 TR Example 3: Tunnel Group Settings in Hong Kong Branch Office..3-88 Table 3.75 TR Example 3: Routing Rules in Hong Kong Branch Office...............3-88 Content XII
Table 3.76 TR Example 4: WAN Link Information................................................ 3-90 Table 3.77 TR Example 4: Settings of Log and Local Host ID (San J ose)........... 3-90 Table 3.78 TR Example 4: Tunnel Group Settings in San J ose Headquarters .... 3-90 Table 3.79 TR Example 4: Routing Rules in San J ose Headquarters.................. 3-91 Table 3.80 TR Example 4: Auto Routing policies in San J ose Headquarters....... 3-91 Table 3.81 TR Example 4: Auto Routing Filters in San J ose Headquarters......... 3-91 Table 3.82 TR Example 4: Settings of Log and Local Host ID (Beijing) ............... 3-91 Table 3.83 TR Example 4: Tunnel Group Settings in Beijing Branch Office......... 3-92 Table 3.84 TR Example 4: Routing Rules in Beijing Branch Office...................... 3-92 Table 3.85 TR Example 4: Settings of Log and Local Host ID (Hong Kong)........ 3-92 Table 3.86 TR Example 4: Tunnel Group Settings in Hong Kong Branch Office.. 3-93 Table 3.87 TR Example 4: Routing Rules in Hong Kong Branch Office............... 3-93 Table 3.88 TR Example 4: Auto Routing policies in Hong Kong Branch Office.... 3-93 Table 3.89 TR Example 4: Auto Routing Filters in Hong Kong Branch Office...... 3-93 Table 3.90 The Description of the Fields in Multihoming Global Setting.............. 3-97 Table 3.91 The Description of the Fields in Multihoming Policy........................... 3-99 Table 3.92 The Description of the Fields in Domain Setting............................... 3-100 Table 3.93 The Description of the Fields in Enable Relay.................................. 3-101 Table 3.94 Multihoming Example 1: Virtual Server Settings............................... 3-102 Table 3.95 Multihoming Example 1: Policy Settings........................................... 3-103 Table 3.96 Multihoming Example 1: Domain Settings........................................ 3-103 Table 3.97 Multihoming Example 2: Virtual Server Settings............................... 3-105 Table 3.98 Multihoming Example 2: Policy Settings........................................... 3-105 Table 3.99 Multihoming Example 2: Domain Settings........................................ 3-105 Table 3.100 The Description of the Fields in Global Setting............................... 3-107 Table 3.101 The Description of the Fields in Domain Setting............................. 3-108 Table 3.102 The Description of the Fields in SNMP V1/2................................... 3-109 Table 3.103 The Description of the Fields in SNMP V3.......................................3-110 Table 3.104 The Description of the Fields in IP-MAC MAPPING........................3-111 Table 4.1 Statistics/Traffic Field and Description.................................................... 4-6 Table 4.2 Statistics/BM Field and Description......................................................... 4-8 Table 4.3 Statistics/Persistent RoutingField and Description............................... 4-10 Table 4.4 Statistics/WAN Link Health Detection Field and Description................ 4-12 Table 4.5 Statistics/Dymatic IP WAN Link Field and Description.......................... 4-14 AscenLink User Manual
XIII Table 4.6 Statistics/DHCP Lease InfoField and Description..................................4-16 Table 4.7 Statistics/RIP Status Field and Description............................................4-18 Table 4.8 Statistics/Tunnel Status Field and Description.......................................4-20 Table 4.9 Statistics/Tunnel Traffic Field and Description.......................................4-21 Table 4.10 Statistics/Connection Limit Field and Description................................4-23 Table 4.11 Statistics/Port Information Field and Description.................................4-24 Table 4.12 Statistics/Virtual Server Status Field and Description..........................4-26 Table 5.1 The Description of the Fields on Log/View Page. ...................................5-6 Table 5.2 The Description of the Fields on Log/Control Page.................................5-8 Table 5.3 Method: FTP ............................................................................................5-9 Table 5.4 Method: E-mai .........................................................................................5-9 Table 5.5 Notification and its Function.................................................................. 5-11 Table 5.6 SNMP Trap Setting................................................................................ 5-11 Table 5.7 Event Types to Notify............................................................................. 5-11 Table 5.8 The Description of the Fields on LinkReport Page................................5-13 Table 5.9 The Description of Events .....................................................................5-13
AscenLink
User Manual 1-1 Table of Content Chapter 1 Quick Start .................................................................................................. 1-4 1.1 Preparation .............................................................................................................. 1-4 1.2 Access to the Web-based UI ................................................................................... 1-6 1.3 AscenLink Web-based UI Overview........................................................................ 1-8 1.4 How to use AscenLink Web-based UI ................................................................... 1-10 1.4.1 AscenLink Operating Menu...........................................................................1-10 1.4.2 AscenLink Rule/Filter/Policy Table................................................................ 1-12 1.4.3 Languages .................................................................................................... 1-14 1.5 Basic Network Settings.......................................................................................... 1-15 1.5.1 WAN Interface Configuration ........................................................................ 1-15 1.5.2 LAN Interface Configuration.......................................................................... 1-20 1.6 Typical Network Architecture with Multiple WAN Links.......................................... 1-23 1.7 Public IP Address Pass-Through........................................................................... 1-29 1.7.1 Use the Existing Firewall with AscenLink...................................................... 1-30 1.8 Hardware Installation............................................................................................. 1-31 1.8.1 How to rack-mount your AscenLink .............................................................. 1-31 1.8.2 Connecting AscenLink to other network devices .......................................... 1-31 1.9 AscenLink
in HA (High Availability) Mode .............................................................. 1-32 1.9.1 Installing AscenLink in HA mode...................................................................1-32 1.9.2 HA Setting .....................................................................................................1-33 Chapter 1 Quick Start 1-2 Figure Figure 1.1 Cancel the Proxy Setting ............................................................................. 1-7 Figure 1.2 AscenLink web-based UI Operating Menu Items ...................................... 1-10 Figure 1.3 Configuring the WAN Interface in a Simple Network Environment ........... 1-15 Figure 1.4 VLAN Port Mapping................................................................................... 1-16 Figure 1.5 Basic Setting.............................................................................................. 1-17 Figure 1.6 Basic Subnet Setting ................................................................................. 1-19 Figure 1.7 Basic Subnet Settings................................................................................ 1-22 Figure 1.8 Network Architecture with Multiple WAN Links.......................................... 1-23 Figure 1.9 Multiple WAN Links Example: VLAN and Port Mapping............................ 1-24 Figure 1.10 Multiple WAN Links Example: WAN Link 1.............................................. 1-25 Figure 1.11 Multiple WAN Links Example: WAN Link 2.............................................. 1-26 Figure 1.12 Multiple WAN Links Example: WAN Link 2.............................................. 1-27 Figure 1.13 Multiple WAN Links Example: LAN Private Subnet................................. 1-28 Figure 1.14 Public IP Address Pass-Through............................................................. 1-29 Figure 1.15 Use the Existing Firewall with AscenLink ................................................ 1-30 Figure 1.16 Racking-mount your AscenLink............................................................... 1-31 Figure 1.17 HA Console Port ...................................................................................... 1-32 AscenLink
User Manual 1-3 Table Table 1.1 Buttons......................................................................................................... 1-11 Table 1.2 Operating Rules........................................................................................... 1-12 Table 1.3 Checkbox..................................................................................................... 1-13 Table 1.4 Local LAN Setting ........................................................................................ 1-20 Table 1.5 DHCP Server Setting................................................................................... 1-21 Table 1.6 The Cable Type for Connecting AscenLink to Other Network Devices ....... 1-31 Chapter 1 Quick Start 1-4 Chapter 1 Quick Start This chapter will explain the basic functions of AscenLink and how to operate and configure the system. It will also cover related subjects in network structures and hardware installation which will help you during initial setup of AscenLink. 1.1 Preparation Before you get started, there are a few things you need to know: The number and position of LAN ports are slightly different in each AscenLink model. The AscenLink 430 for example, has five network interfaces. The second to last interface is a LAN port and the last one is a DMZ port. But this does not apply to other models. The default IP address for LAN interface is 192.168.0.1 Your IP addresses for computers in the LAN should be changed to 192.168.0.2 (or 192.168.0.x) in order to avoid conflicts with the default LAN port. Connect your computers in the LAN with AscenLink via a cross-over cable, which is a standard attachment of the product. Access the web-based administration UI, open https://192.168.0.1/ in your Internet Explorer 6.0. The default password for the administrator account is 1234, and 5678 for the monitor account. We strongly recommend you modify the passwords at your initial log into the web-based UI. It is also a wise idea to write down your changed passwords and keep in a safe place for future reference. Check your network environment carefully before installing AscenLink. A well-designed network environment with the necessary information such as your network structure, IP addresses allocation, and network segments information will help you complete the setup of AscenLink parameters. AscenLink
User Manual 1-5 AscenLink uses a web-based management user interface (Web-based UI). Due to internal design constraints, you have to use MS Internet Explorer 6.0 (IE 6.0), or higher to access the Web-based UI. A screen resolution of 800x600 or higher is also recommended. Use a cross-over cable to access AscenLink Web-based UI connecting with the LAN port. AscenLink is shipped with two optional types of CAT-5 network cable: a cross-over, and a straight cable. Please ensure to use the cross-over cable to connect the computer with LAN port of AscenLink, the LED of LAN port will light up once it is properly connected. Chapter 1 Quick Start 1-6 1.2 Access to the Web-based UI The Web-based UI enables you to easily perform every configuration task. Follow the steps below to access the Web-based UI: 1. Connect your PC Ethernet LAN interface with LAN port of AscenLink by a cross-over cable, the default management LAN port of AscenLink
is port 4 (interface indicated as 4). You can change the interface attributes when necessary, such to WAN, LAN or DMZ. 2. After powering on AscenLink, self diagnosis provides 3 short beep noises to indicate that AscenOS is initialized and activated, the LED of LAN port will turn to orange. 3. Assign your PC Ethernet LAN interface with an IP - 192.168.0.2, and a subnet mask - 255.255.255.0, for example. 4. Turn off the proxy setting of your IE browser, no proxy server is required in order to access AscenLinks Web-based UI. Open MS IE 6.0, select Internet Option on the menu bar of Tools, click the Connection tab, and then click LAN settings to open Local Area Network Settings dialog box, under Proxy server, make sure proxy server is not selected. 5. In the URL of IE 6.0, type in https://192.168.0.1 to access the Web-based UI, and make sure it is https instead of http so you have a secure connection between AscenLink and the host PC. 6. AscenLink provides two types of user accounts: Administrator Has privileges to monitor and modify system parameters. Monitor Can only monitor. AscenLink allows up to 1 administrator and 5 monitors to access concurrently. When the later-coming Administrator logs in, the former one will be automatically logged out and become a Monitor. Default password for Administrator and Monitor are 1234 and 5678, respectively. AscenLink
User Manual 1-7 Recommendation: change the password the first time you log in for easy management.
Figure 1.1 Cancel the Proxy Setting Chapter 1 Quick Start 1-8 1.3 AscenLink Web-based UI Overview After logging in, you will be able to start configuring or monitoring AscenLink through the Web-based UI. The Web-based UI tasks are grouped into five categories: System Service Statistic Log Language The categories are located at the top left corner of the Web-based UI task bar. These categories cover all the configuration possibilities in AscenLink. A detailed description of each category will be covered in subsequent chapters. AscenLink
User Manual 1-9 Changing Password Log in as an Administrator in the Web-based UI and modify the Administrator or Monitor password by performing the following steps: 1. Log in as: Administrator. Enter the default password: 1234. 2. Click System and then Administration at the top of the window. 3. Under the field Administrator Password, select Administrator in the Select Account field, and then type your new password in both New Password and Password Verification fields. 4. Click Set Password to accept the new password you just set. Note: The change is updated instantaneously on AscenLink; there is no need to restart the system, please use the new password next time you log in. If you forget your administrator password, use a Terminal (VT-100 compatible) to establish the connection between PC RS-232 series port and AscenLink Console interface (Default User Account: Administrator, Password: ascenlink), execute resetpasswd command to restore password back to the default setting. Please refer to Appendix in this manual for more information about Console commands. Changing Language AscenLinks Web-based UI supports multiple languages. To swap the display of language, you can click Language on the menu; two types of languages are available, English or Simplified Chinese. Chapter 1 Quick Start 1-10 1.4 How to use AscenLink Web-based UI This section describes the operations and arrangement of Web Base UI, Figure 1.2 displays the operating menu of AscenLink Web-based UI system after initial log-in.
Figure 1.2 AscenLink web-based UI Operating Menu Items 1.4.1 AscenLink Operating Menu The operating menu contains five categories, which are System, Service, Statistics, Log, and Language; and each category has its own submenu. System/Summary in Figure 1.2 indicates the current working menu, while Administrator@192.168.0.74 indicates login account is Administrator at system name of 192.168.0.74. Click Logout at the top right corner of the window to exit the system. Apply, Reload, Help/Hide Help buttons are always displayed on the operating menu, and the functions are described as below: Button Function
After modifying the parameters of specific menu page, click this button to save your changes to memory, the old settings will also be saved.
Click this button to recover the old settings which Appl y had saved.
Click the Help button to display the online help of the current page, the online help information will automatically swap when AscenLink
User Manual 1-11
you change the function page or language. Click Hide Help to hide the on-line help information. Table 1.1 Buttons Note: The Apply and Reload buttons here are active only on certain pages, any parameters modified without clicking Apply will not be saved to the memory. Remember to click Apply when you are ready to move to the next page menu or logout. Chapter 1 Quick Start 1-12 1.4.2 AscenLink Rule/Filter/Policy Table Orders of Rules/Filters/Policies When you perform tasks such as setting system parameters or defining service policies, you are often required to add or delete rules of your own. In general, when you have multiple rules in one table, AscenLink matches these rules from top to bottom (top-down evaluation). That is, the rules at the top of the table are given a higher precedence. Thus, to achieve the outcome of your desire, the more specific rules should be placed on top of the less specific rules. Here are a few icons you will see in these tables, and their meanings are: Add a new rule below the current rule. Move the current rule one row down. Move the current rule one row up. Delete the current rule. Write a note for the current rule. Table 1.2 Operating Rules The newly added rule will be placed right below the current rule. Moving the rule up or down will swap positions between the upper and lower rules. Checkbox It is quite common that the following checkboxes exist in some tables. These checkboxes indicate whether certain functions are enabled or not. A red check sign inside a checkbox stands for enabled, and an empty checkbox means disabled. For example, you can enable logging for a rule by checking its checkbox in the rule table.
AscenLink
User Manual 1-13
The function is disabled.
The function is enabled. Table 1.3 Checkbox So far, we have only mentioned the basic operations of the Web-based UI. In the next section, more instructions on how to integrate AscenLink into your present network environment will be covered. Chapter 1 Quick Start 1-14 1.4.3 Languages To select your preferred language, move your mouse cursor over the last item Language on the menu bar. A list of available languages will be shown on the sub-menu. English and Simplified Chinese are offered to select in this version. AscenLink
User Manual 1-15 1.5 Basic Network Settings 1.5.1 WAN Interface Configuration In this section, we will walk you through a simple example to configure AscenLink step by step. The network architecture in this example is illustrated as below.
Figure 1.3 Configuring the WAN Interface in a Simple Network Environment Once the topology is set, we must define the network interfaces. Because AscenLink provides the flexibility of configuring network interfaces individually, you can define each port to be either a WAN, LAN, or DMZ port. In this example, we would like to map Port2 as a WAN port, Port1 as a LAN port, Chapter 1 Quick Start 1-16 and Port5 as a DMZ port. To achieve this, go to [System] -> [Network Settings] -> [VLAN and port Mapping]. This is the place where the network interfaces are defined. For the above settings, the table will display like the one below:
Figure 1.4 VLAN Port Mapping After configuring your VLAN and Port Mapping, the next step is WAN setting configuration. [WAN Setting] is located on the same page as [VLAN and Port Mapping]. Click on the [WAN Setting] Tab, you will see the page for WAN setting. Before configuring your WAN setting, make sure you know the gateway by differentiate between public IPs from your ISP. Information like this should have been given to you when first applied for a WAN connection with your ISP. They are essential to make your WAN connection work properly. AscenLink
User Manual 1-17 The procedure for configuring WAN settings is listed below: 1. Select the number of WAN links you want to configure. If you have multiple links, you can only edit one WAN link at a time, according to priority. 2. In the [Basic Setting] table, tick the checkbox next to Enable to activate the WAN link. 3. [WAN Type] Select your WAN type in the second field. Several options are available in this dropdown list. The WAN type depends on how your ISP allocates the WAN links. If you are given a sub-network with a group of public IPs, you should choose Routing Mode; or, if you are given a single public IP, you need to configure your WAN type as Bridge Mode: One Static IP. In this example, we assume our WAN type is in Routing Mode. 4. [Down Stream] & [Up Stream] In the thrid and fourth field, fill in your upstream and downstream bandwidth limits of your WAN link. 5. [Default Gateway] Fill in the gateways IP address in the fifth field. In this example, it is 211.33.10.9 (Router Address). 6. [MTU] defines packet size in transmission, e.g. 1500. 7. [WAN Port] Fill the last field with the physical port number the WAN link is connected to. This is the phyiscal port on AscenLink. In this example, Port2.
Figure 1.5 Basic Setting Chapter 1 Quick Start 1-18 After finishing your [Basic Setting] table, you will then provide information on your subnet [Basic Subnet]: 1. There are several options in [Subnet Type]. We use [Subnet in WAN and DMZ], the most common case in network architectures. 2. [IP(s) on Localhost] Fill the IP addresses on AscenLink in the [IP(s) on Localhost] field. These IP addresses are allocated from ISP. In this example, they are two IPs binding with Port 2: 211.30.10.11 and 211.30.10.12. You can add a new IP address by clicking [+] icon or add a continuous range of IP addresses by using a hyphen - that connects the starting IP and the ending IP address, for example, 211.30.10.11-211.30.10.12. 3. [IP(s) in WAN] Fill the IP addresses of the WAN in the [IP(s) in WAN] field. In this example, they are 211.30.10.9 and 211.30.10.13. The former is the IP address of the gateway. The latter is the IP address of the server in the WAN. 4. [Netmask] Fill in the netmask provided by your ISP. In this example, it is 255.255.255.248. 5. [DMZ Port] Specify your DMZ port in the [DMZ port] field. In this example, port 5 on AscenLink is used as DMZ port. To specify the port for different functions (WAN, LAN, DMZ, etc.), please setup at [VLAN and Port Mapping]. 6. When machines in a WAN environment take AscenLink as DHCP Server to assign dynamic IP address, administrators are allowed to enable DHCP and specify the IP range of client end. When machines uses static IP, administrators are allowed to specify the designated IP in [Static Mapping] and the MAC address of the internet interface of these machinese as well. 7. Press [Apply] to update all the parameters you have just entered. This is the part related to WAN settings. We will move to LAN settings in the next section. AscenLink
User Manual 1-19
Figure 1.6 Basic Subnet Setting Chapter 1 Quick Start 1-20 1.5.2 LAN Interface Configuration AscenLink provides DMZ with IP Pass Through, it can be configured at [System] -> [Networking Setting] -> [LAN Private Subnet]. You can assign a Public IP to a machine in DMZ, now all packets will be moved transparently to the WAN interface through AscenLink with the IP Pass Through feature. When a LAN client wants to access WAN IP addresses of virtual servers, sometimes the packets may bypass AscenLink and cause connection failure. You can enable NAT Subnet for Virtual Server to force the client's source IP address to be translated into this LAN's IP address to assure all packets form client will pass through AscenLink. Local LAN Setting Assign the IP address to a specific LAN port can be done in the Subnet Detail table. Field Description IP(s) on Localhost Identify the localhost IP address of specific LAN port. Netmask Identify the subnet mask of specific LAN port. LAN Port Identify the LAN port ID. Table 1.4 Local LAN Setting AscenLink
User Manual 1-21 DHCP Server Setting If you would like to assign dynamic IPs to the client hosts with the same subnet, enable the DHCP Server to perform this task. DHCP static mapping is supported. Field Description Enable DHCP To enable the DHCP server on the specific LAN port interface Starting Address Specify the range of starting addresses that the DHCP server can assign. Ending Address Specify the range of ending addresses that the DHCP server can assign. Static Mapping You can configure a client reservation to reserve a specific IP address for use by a DHCP client host, so the client host always has the same address. In IP address box, type the IP address that you want to reserve for a specific client. In MAC Address box, type the MAC address of the hosts network adapter. Do use colon in the MAC address. Table 1.5 DHCP Server Setting To configure your LAN settings, go to [System]->[Networking Setting]->[LAN Private Subnet]. AscenLink provides DMZ with public IP pass through. In this example, we have a public IP 211.30.10.14 in DMZ. AsecnLink will simply let all packets from the WAN to this address pass through. The remaining work is to setup the IP for the LAN interface. In this example, please input 192.168.100.254 in [IP(s) on Localhost] and 255.255.255.0 in [Netmask]. When machines in a LAN environment takes AscenLink as DHCP server, first check the box to enable DHCP and specify DNS Server IP. Ordinarily, DNS Chapter 1 Quick Start 1-22 Server IPs are designated in network environment for the purpose of inquiring. DNS Server can be placed in the LAN where AscenLink is deployed. Note that DNS Server IP must be one that can communicate with AscenLink. Then fill in the IP addresses that are allocated to the LAN hosts. For certain hosts that use fixed IPs, please also fill in their MAC addresses and their static IP addresses in the [Static Mapping] field. Click [Apply] when you finish the LAN settings. It will not update the system parameters until you apply. The finished LAN setting for this example displays like the figure below:
Figure 1.7 Basic Subnet Settings AscenLink
User Manual 1-23 1.6 Typical Network Architecture with Multiple WAN Links AscenLink
can reveal its full power in a network with multiple WAN links. In the next example, we will illustrate how to setup your AscenLink with multiple WAN links (please see the figure below). Assume we have two WAN links, WAN1 and WAN2 from different ISPs and both of them use public IPs for the WAN ports. The LAN interface is using private IP, and configuring AscenLink as the gateway for the LAN. The DMZ interface is configured as another gateway. All the hosts in the LAN are connected to the Internet (WAN) using NAT/NAPT (Network Address/Port Translation) through AscenLink.
Figure 1.8 Network Architecture with Multiple WAN Links The above example requires you to configure settings in different tabs under [System]->[Network Setting]: Chapter 1 Quick Start 1-24 [VLAN and Port Mapping]: define AscenLinks interfaces (WAN, LAN or DMZ) [WAN setting]: configure your settings for both WAN links [WAN/DMZ Private Subnet]: configure your DMZ settings [LAN Private Subnet]: configure your LAN settings You may refer to the network architecture figure above; their settings for each tab are shown below: VLAN and Port Mapping: Port1 WAN Port2 WAN Port3 LAN Port4 DMZ
Figure 1.9 Multiple WAN Links Example: VLAN and Port Mapping AscenLink
User Manual 1-25 WAN Setting: The parameters for WAN link 1 are shown as below: assuming that both of its upstream and downstream bandwidth is 512k, and the Netmask is 255.255.255.248.
Figure 1.10 Multiple WAN Links Example: WAN Link 1 WAN link 2 is configured in a similar manner: Chapter 1 Quick Start 1-26
Figure 1.11 Multiple WAN Links Example: WAN Link 2 WAN/DMZ Private Subnet: In this example, the sub-network connected to the DMZ interface is allocated with a private IP address. Therefore, the DMZ interface is the gateway for the sub-network in DMZ. AscenLink
User Manual 1-27
Figure 1.12 Multiple WAN Links Example: WAN Link 2 LAN Private Subnet Lastly, we configure the settings for the LAN interface. In this example, AscenLink is the DHCP server of the LAN, which is shown as the figure below: Chapter 1 Quick Start 1-28
Figure 1.13 Multiple WAN Links Example: LAN Private Subnet
AscenLink
User Manual 1-29 1.7 Public IP Address Pass-Through The advantage of public IP-Address pass-through is that the efforts of configuring network settings are minimized. You can simply move the hosts with public IPs to DMZ and leave them as they are. They will work as well as they were before. There is no need to configure AscenLink or the hosts themselves. In the figure below, we place a public IP 211.21.38.43 at a host in DMZ. This public IP is in the same network segment with WAN 1 port, so all the packets to 211.21.38.43 will be passed through from WAN 1 to DMZ. That means the DMZ port is actually linked to the WAN 1 port (shown as a dotted line in the figure below), and the gateway of the host in DMZ is the same as the gateway of WAN 1 Port.
Figure 1.14 Public IP Address Pass-Through Chapter 1 Quick Start 1-30 1.7.1 Use AscenLink with the Existing Firewall For those who have installed the firewall in their existing network, they can simply connect the firewall to the DMZ interface of AscenLink without changing any settings, even if the firewall is attached to the subnet with public or private IPs.
Figure 1.15 Use the Existing Firewall with AscenLink AscenLink
User Manual 1-31 1.8 Hardware Installation 1.8.1 How to rack-mount your AscenLink AscenLink is shipped with screws for industrial standard rack. Please use these screws in the box and rack-mount your machine by referring to Figure 1.16.
Figure 1.16 Racking-mount your AscenLink 1.8.2 Connecting AscenLink to other network devices Based on the types of network devices and environment, the cable used for connecting can differ. For some of them, it requires cross-over cables, but others may require straight-through cables. The table below shows the cable type used for connecting different types of network devices: WAN or LAN device Cable Type Router Cross-Over Firewall Cross-Over Server Cross-Over Hub Straight-Through Switch Straight-Through Table 1.6 The Cable Type for Connecting AscenLink to Other Network Devices Chapter 1 Quick Start 1-32 1.9 AscenLink
in HA (High Availability) Mode 1.9.1 Installing AscenLink
in HA mode Two AscenLink units
can be linked together and work as the backup for one another. This is called HA (High Availability) mode as it provides stronger reliability in case any of the AscenLink units is down. AscenLink
is designed with fault tolerance. The firmware OS (Operating System) and programs are stored in flash memory; therefore the system will not be damaged during a blackout. However, if you are running mission-critical or non-stop services over your network, HA mode offers fault tolerance at the hardware level. When two AscenLinks
are linked together, the current active one is called master for regular operation. The other one serves as slave for backup, and will only be woken up when the master AscenLink
fails to function properly.
Figure 1.17 HA Console Port You just need to connect them with a 9-pin RS-232 cable (Null Modem Cable). Attach both ends of the cable to the HA ports of the two AscenLink units respectively. Null Modem Cable is the standard accessory shipped with AscenLink. AscenLink
User Manual 1-33 1.9.2 Setting Up HA How HA Works When both AscenLink units are on, only the master will handle the network traffic. The slave machine is in sleep mode during this stage. If the master is down for some reason, the slave AscenLink will be automatically woken up and will take over the job to ensure uninterrupted services. In addition, AscenLink also supports circurt level HA for both LAN and DMZ connection to eliminate single point failure in the entire deployment for 100% HA. Activating HA Mode Firstly, install the master AscenLink and make sure it works properly on your present network. Secondly, connect the slave AscenLink to the master AscenLink with the 9-pin serial cable. Thirdly, turn on the power of the slave AscenLink. Next, you will see the status of the slave AscenLink on the Web-based UI under [System] -> [Summary] -> [Peer Information]. On this stage, the HA mode is activated. Once the master is down, the slave will take over and keep the network alive automatically. Note: 1. If the serial cable is disconnected during the operation, it will cause unexpected errors. Be sure the cable is plugged tightly to both machines. 2. As long as the master can find the slave, the HA mode is activated. AscenLink User Manual 2-1 Table of Content Chapter 2 System.......................................................................................................... 2-5 2.1 Summary .......................................................................................................... 2-6 2.2 Network Setting ....................................................................................................... 2-8 2.2.1 DNS Server ...................................................................................................... 2-10 2.2.2 VLAN and Port Mapping .................................................................................. 2-12 2.2.3 WAN Setting..................................................................................................... 2-19 2.2.4 WAN/DMZ Private Subnet ...............................................................................2-39 2.2.5 LAN Private Subnet ......................................................................................... 2-49 2.3 WAN Link Health Detection................................................................................... 2-56 2.4 Optimum Route Detection ..................................................................................... 2-58 2.5 Port Speed/Duplex Setting .................................................................................... 2-61 2.6 Backup Line Setting............................................................................................... 2-63 2.7 IP Grouping............................................................................................................ 2-65 2.8 Service Grouping................................................................................................... 2-67 2.9 Busyhour Setting ................................................................................................... 2-69 2.10 Diagnostic Tools................................................................................................... 2-72 2.11 Date/Time............................................................................................................. 2-76 2.12 Central Management ........................................................................................... 2-77 2.13 Administration...................................................................................................... 2-78 Chapter 2 System 2-2 Figure Figure 2.1 The Location of System/Summary on the Menu Bar ............................ 2-5 Figure 2.2 The Location of System/Network Setting on the Menu Bar .................. 2-8 Figure 2.3 The Location of DNS Server on the Menu Bar.................................... 2-10 Figure 2.4 The Location of VLAN and Port Mapping on the Menu Bar................ 2-12 Figure 2.5 VLAN Switch and AscenLink ................................................................. 2-13 Figure 2.6 LAN and DMZ HA Deployment Sample................................................. 2-14 Figure 2.7 UI configuration for Redundant LAN/DMZ Port ..................................... 2-15 Figure 2.8 Support Switch HA................................................................................. 2-16 Figure 2.9 Settings for Switch HA Support.............................................................. 2-17 Figure 2.10 LAN Private Subnet Settings for Switch HA Support............................. 2-18 Figure 2.11 The Location of WAN Setting on the Menu Bar .................................. 2-19 Figure 2.12 WAN Setting / Basic Setting .................................................................. 2-20 Figure 2.13 Types of Basic Subnets ......................................................................... 2-23 Figure 2.14 Types of Static Routing Subnet.............................................................. 2-23 Figure 2.15 Subnet in WAN of Basic Subnet ............................................................ 2-24 Figure 2.16 Subnet in WAN Setting of Basic Subnet................................................ 2-25 Figure 2.17 Subnet in DMZ of Basic Subnet ............................................................ 2-26 Figure 2.18 Subnet in DMZ Setting of Basic Subnet ................................................ 2-27 Figure 2.19 Subnet in WAN and DMZ of Basic Subnet ............................................ 2-28 Figure 2.20 Subnet in WAN and DMZ Setting in Basic Subnet ................................ 2-29 Figure 2.21 Subnet on Localhost of Basic Subnet.................................................... 2-30 Figure 2.22 Subnet on Localhost Setting of Basic Subnet ....................................... 2-30 Figure 2.23 Subnet in WAN of Static Routing Subnet............................................... 2-31 Figure 2.24 Subnet in WAN Setting of Static Routing Subnet .................................. 2-31 Figure 2.25 Subnet in DMZ of Static Routing Subnet ............................................... 2-32 Figure 2.26 Subnet in DMZ Setting of Static Routing Subnet................................... 2-32 Figure 2.27 Bridge Mode: One Static IP ................................................................... 2-33 Figure 2.28 Bridge Mode: One Static IP Setting ....................................................... 2-34 Figure 2.29 Bridge Mode: Multiple Static IP.............................................................. 2-35 Figure 2.30 Bridge Mode: Multiple Static IP Setting.................................................. 2-36 Figure 2.31 Bridge Mode: PPPoE Setting................................................................. 2-37 Figure 2.32 Bridge Mode: DHCP Client Setting........................................................ 2-38 Figure 2.33 The Location of WAN/DMZ Private Subnet on the Menu Bar............. 2-39 Figure 2.34 Types of Subnets in WAN/DMZ............................................................. 2-40 AscenLink User Manual 2-3 Figure 2.35 Types of Subnets in Static Routing Subnet ............................................ 2-40 Figure 2.36 Subnet in WAN of Basic Subnet in WAN/DMZ....................................... 2-41 Figure 2.37 Subnet in WAN Setting of Basic Subnet in WAN/DMZ .......................... 2-41 Figure 2.38 Subnet in DMZ of Basic Subnet in WAN/DMZ....................................... 2-42 Figure 2.39 Subnet in DMZ Setting of Basic Subnet in WAN/DMZ........................... 2-43 Figure 2.40 Subnet in WAN/DMZ of Basic Subnet in WAN/DMZ.............................. 2-44 Figure 2.41 Subnet in WAN/DMZ Setting of Basic Subnet in WAN/DMZ ................. 2-45 Figure 2.42 Subnet on Localhost of Basic Subnet in WAN/DMZ.............................. 2-46 Figure 2.43 Subnet on Localhost Setting of Basic Subnet in WAN/DMZ.................. 2-46 Figure 2.44 Subnet in WAN of Static Routing Subnet in WAN/DMZ......................... 2-47 Figure 2.45 Subnet in WAN Setting of Static Routing Subnet in WAN/DMZ............. 2-47 Figure 2.46 Subnet in DMZ of Static Routing Subnet in WAN/DMZ.......................... 2-48 Figure 2.47 Subnet in DMZ Setting of Static Routing Subnet in WAN/DMZ ............. 2-48 Figure 2.48 The Location of LAN Private Subnet on the Menu Bar........................ 2-49 Figure 2.49 LAN Private Subnet / Basic Subnet .......................................................2-50 Figure 2.50 LAN Private Subnet / Basic Subnet Setting........................................... 2-51 Figure 2.51 LAN Private Subnet/ RIP Configuration ................................................. 2-52 Figure 2.52 LAN Private Subnet/ OSPF Setting........................................................ 2-53 Figure 2.53 LAN Private Subnet / Static Routing Subnet .......................................... 2-55 Figure 2.54 LAN Private Subnet / Static Routing Subnet Setting.............................. 2-55 Figure 2.55 The Location of System/WAN Link Health Detection on Menu Bar..... 2-56 Figure 2.56 The Location of System/ Optimum Route Detection on Menu Bar...... 2-58 Figure 2.57 The Location of System/Port Speed Duplex Setting on Menu Bar...... 2-61 Figure 2.58 The Location of System/Backup Line Setting on the Menu Bar .......... 2-63 Figure 2.59 The Location of System/IP Grouping on the Menu Bar ....................... 2-65 Figure 2.60 The Location of System/Service Grouping on the Menu Bar .............. 2-67 Figure 2.61 Service Grouping....................................................................................2-68 Figure 2.62 The Location of System/Busyhour Setting on the Menu Bar............... 2-69 Figure 2.63 A Busy-hour Setting Example ................................................................ 2-70 Figure 2.64 The Location of System/Diagnostic Tools on the Menu Bar ................ 2-72 Figure 2.65 The Location of System/Date/Time on the Menu Bar.......................... 2-76 Figure 2.66 The Location of System/Administration on the Menu Bar ................... 2-77 Figure 2.67 The Location of System/Administration on the Menu Bar ................... 2-78
Chapter 2 System 2-4 Table Table 2.1 System Information.................................................................................. 2-6 Table 2.2 Peer Information ...................................................................................... 2-6 Table 2.3 Optional Functions Information................................................................ 2-7 Table 2.4 VLAN Tag and AscenLink Port Mapping................................................ 2-13 Table 2.5 Field description for the Redundant Port configuration ......................... 2-15 Table 2.6 Basic Setting Table in Routing Mode..................................................... 2-22 Table 2.7 OSPF Settings Table ............................................................................. 2-54 Table 2.8 Static IP table setting of Optimum Route Detection............................... 2-59 Table 2.9 Dynamic detection setting of Optimum Route Detection....................... 2-60 Table 2.10 Port Speed/Duplex Setting .................................................................... 2-62 Table 2.11 Threshold Parameters ........................................................................... 2-64 Table 2.12 Backup Line Rules................................................................................. 2-64 Table 2.13 IP Grouping............................................................................................ 2-66 Table 2.14 Rules Setting of IP Grouping ................................................................. 2-66 Table 2.15 Busy-hour Setting .................................................................................. 2-70 Table 2.16 Central Management Setting................................................................. 2-77 Table 2.17 Administration Password Setting........................................................... 2-79 Table 2.18 Monitor Password Setting...................................................................... 2-80 AscenLink User Manual 2-5 Chapter 2 System In this chapter, you will learn how to configure the system settings. These are the fundamental configurations of the AscenLink system and they have to be defined in order for the system to work properly. However, most of the settings have default values so you do not have to configure them if the default settings fit your requirements. There is one exception: Network Setting. You have to set up your network configuration according to your intranet network structure and the necessary information from your Internet service providers (ISPs).
Figure 2.1 The Location of System/Summary on the Menu Bar Chapter 2 System 2-6 2.1 Summary System/Summary is the first page you see when logging into AscenLinks web-based UI. It provides basic information of the system in three categories: System Information, Peer Information, WAN Link State and Optional Functions Information. Peer Information is available only if the AscenLink is running in HA mode (either as a master or a slave). Contents of System Information and Peer Information Category Field Description Version Firmware Version of this AscenLink Serial Number Serial number of this AscenLink Uptime Time since last reboot Connections Number of connections CPU Usage % CPU usage System Information Packets / Second Number of packets serviced per second Table 2.1 System Information Category Field Description Version Firmware Version of slave AscenLink Serial Number Serial number of slave AscenLink Uptime Time since slave last reboot Peer Information State Always be Slave Table 2.2 Peer Information Note: Connections may jump up to over 100 when AscenLink is starting up. This is due to many ICMP packets sent out from AscenLink to test the network. It will drop back to normal there after. AscenLink User Manual 2-7 WAN Link State The section on WAN Link State shows the current status of each and every WAN link. Each WAN link is color-coded representation in each block with the following color coding scheme to indicate its status: Green: Active WAN link Blue: Backup WAN link Red: Broken WAN link Black: WAN link not in use Different AscenLink models allow different numbers of WAN links. Therefore, the number of status blocks indicates the maximum number of WAN links for this AscenLink model. Contents of Optional Functions Information Category Field Description Functions Display the name of the optional functions, e.g: "Layer 7 Bandwidth Management" or Tunnel Routing Note: ONLY Simplified Chinese version has "Layer 7 Bandwidth Management" option. Enabled Display if the optional function is enabled Optional Functions Information Remarks If it is the DEMO version, the number of days left to use this function will be shown here; otherwise, it will be blank. Table 2.3 Optional Functions Information Chapter 2 System 2-8 2.2 Network Setting
Figure 2.2 The Location of System/Network Setting on the Menu Bar System/Network Setting is an important part of system configuration, covering WAN, LAN, and DMZ settings. System/Network Setting contains 5 sub-menu items. They are: DNS Server: In this page, you can specify the IP address of a DNS server used by AscenLink. VLAN and Port Mapping: In this page, you can assign WAN, LAN, or DMZ links to physical network ports or VLAN tags. WAN Setting: In this page, you can specify the WAN type and the parameters of each WAN link. AscenLink User Manual 2-9 WAN/DMZ Private Subnet: In this page, you can specify private subnets in WAN or DMZ. LAN Private Subnet: In this page, you can specify private subnets in a LAN. Chapter 2 System 2-10 2.2.1 DNS Server
Figure 2.3 The Location of DNS Server on the Menu Bar In this page, you can specify the IP address of a DNS server. AscenLink will use it to resolve machine names to obtain IP addresses. Either input the IP address or the domain name suffix of the DNS server. Users are also allowed to define the host name of DNS server in the network. The following is the list of five functions using this; System/Diagnostic Tools: Ping and Trace Service/Cache: Cache Server setting Log/Control: SMTP and FTP Server setting Log/Notification: SMTP Server setting AscenLink User Manual 2-11 Serial Console: ping and traceroute commands Note that this DNS server is not required for AscenLink to work properly. If you don't specify a DNS server, you can still use all the functions listed above by entering the IP address instead of the FQDN. Chapter 2 System 2-12 2.2.2 VLAN and Port Mapping
Figure 2.4 The Location of VLAN and Port Mapping on the Menu Bar (1) VLAN and Port Mapping Please plan your network structure prior to the deployment of AscenLink into the network. For instance, you will need to plan which port tol be used for WAN1. You can assign how to map WAN, LAN, or DMZ links to physical network ports. Certain models of AscenLink can support 802.1q VLAN (not Ciscos ISL). This is very handy in a big network structure with VLAN-capable switches. You can map WAN, LAN, or DMZ links to different VLAN by specifying different VLAN tags. This allows better traffic separation and more port assignment flexibility. AscenLink User Manual 2-13 We use the following example to illustrate VLAN configuration:
Figure 2.5 VLAN Switch and AscenLink In this example, Port 1 of AscenLink is connected to a VLAN switch. In the page of [System]->[Network Setting]->[VLAN and Port Mapping], we define the following LAN tag mapping: Port VLAN Tag Mapping 101 WAN 102 WAN 103 LAN Port 1 104 DMZ Port 2 no VLAN tag None Port 3 no VLAN tag None Port 4 no VLAN tag None Table 2.4 VLAN Tag and AscenLink Port Mapping Chapter 2 System 2-14 With this configuration, Port 1 of AscenLink will no longer accept non-VLAN packets. Network interfaces 101 and 102 on the VLAN switch are connected to WAN links. Interface 103 is connected to LAN, and interface 104 is connected to DMZ. This example demonstrates that by supporting VLAN, one port can become multiple virtual links.
(2) LAN and DMZ Port High Availability (Redundancy) AscenLink supports the LAN and DMZ port level HA to remove the single point of failure in the entire deployment chain. To solve this problem, AscenLinks LAN and DMZ ports have bridging function that prioritizes the spanning tree algorithm set to the highest setting (0xffff) to avoid looping in your network. The Figure below illustrates the HA deployment:
Figure 2.6 LAN and DMZ HA Deployment Sample In this example, Port 1 is set to WAN, Port 2 and Port 3 are set for HA LAN port pair, and Port 4 and 5 are HA DMZ port pair. Each of the LAN/DMZ pair is connected to one switch (switch1 or switch2). This will remove the chance of single AscenLink User Manual 2-15 point of failure on the switch, so the entire deployment is full HA.
Figure 2.7 UI configuration for Redundant LAN/DMZ Port Category Field Description Label Define a logical label for the Redundant LAN Port for subsequent reference. Valid form for this label can be 0-9 a-z A-Z .-_. Redundant LAN Port Mapping Select two ports for grouping as redundant LAN port pair Label Define a logical label for the Redundant DMZ Port for subsequent reference. Valid form for this label can be 0-9 a-z A-Z .-_. Redundant DMZ Port
Mapping Select two ports for grouping as redundant DMZ port pair Table 2.5 Field description for the Redundant Port configuration Chapter 2 System 2-16 (3) HA Deployment to ensure HA on switch In addition to supporting AscenLink Port HA, the Port level HA can also be used to support the HA on the switches behind the AscenLink. This is especially highly effective for cases where extreme high availability is required, such as banking, security exchange, etc. We use the following example to illustrate how to switch device onto HA, i.e., Switch1 and Switch2 backup each other in the event of hardware failure.
Figure 2.8 Support Switch HA AscenLink User Manual 2-17 The setting of AscenLink HA deployment on switches is:
Figure 2.9 Settings for Switch HA Support The setting of LAN Private Subnet is: Chapter 2 System 2-18
Figure 2.10 LAN Private Subnet Settings for Switch HA Support
AscenLink User Manual 2-19 2.2.3 WAN Setting
Figure 2.11 The Location of WAN Setting on the Menu Bar When you obtain WAN links (such as T1 leased line, ADSL, or cable modem) from ISPs, based on the agreements between you and the ISPs, you might get different types of links. AscenLink
needs to know about the characteristics of these links. This page is where you can set the WAN type and the parameters for each WAN link. The configuration is done one WAN link at a time. However, you can apply all the changes at once at the end. You can select a WAN link by selecting the link number in a WAN Link drop-down box. For each WAN link, you will fill out a few tables with correct information from its ISP. Chapter 2 System 2-20 The initial selection is the WAN type. The rest of the settings will change based on the WAN type you have selected. AscenLink supports the following WAN types: Routing Mode Bridge mode: One Static IP Bridge mode: Multiple Static IP Bridge mode: PPPoE Bridge mode: DHCP Client
Figure 2.12 WAN Setting / Basic Setting As mentioned, different types of WAN have different interfaces. First of all, we need to clarify one concept. To AscenLink, there are two types of subnets: The first type is subnets that directly connect to AscenLink. For this type of subnets, you have to fill out the Basic Subnet table to specify them. In this case, AscenLink is the router for those subnets. The second type is subnets that connect to AscenLink through other routers or L3 switches. For this type of subnets, you have to fill out the Static Routing AscenLink User Manual 2-21 Subnet table to specify them. In this case, traffic will be routed by the routers (or L3 switches). Chapter 2 System 2-22 2.2.3.1 Routing Mode Basic Setting When you select Routing Mode as the WAN Type, you need to fill the parameters in the Basic Setting table. Basic Setting table: Field Description Down Stream The down stream (inbound) bandwidth of the WAN link, for example 512 (Kbps) Up Stream The up stream (outbound) bandwidth of the WAN link, for example 512 (Kbps) Default Gateway The IP address of the default gateway for the WAN link MTU (Maximum Transmission unit) refers to the size of the largest packet or frame that a given layer of a communications protocol can pass onwards. It allows dividing the datagram into pieces, each one small enough to pass over the single link. WAN Port The network interface for this WAN link (for example, port 3) Note that this interface has to be mapped to WAN. Refer to 2.2.2 for details. Table 2.6 Basic Setting Table in Routing Mode (1) Basic Subnet and Static Routing Subnet The next step is to set the Basic Subnet and Static Routing Subnet tables. All the subnets mentioned here are public subnets (i.e. subnets contain public IP). A Basic Subnet can be further classified into one of the following types: Subnet in WAN Subnet in DMZ Subnet in WAN and DMZ AscenLink User Manual 2-23 Subnet on Localhost
Figure 2.13 Types of Basic Subnets Later, we will explain the difference in each type with examples. In general, the most commonly used type is Subnet in WAN and DMZ. Similarly, a Static Routing Subnet can be further classified into one of the following types: Subnet in WAN Subnet in DMZ
Figure 2.14 Types of Static Routing Subnet Chapter 2 System 2-24 (2) Subnet in WAN of Basic Subnet A public subnet placed between AscenLink and ISPs router is called Subnet in WAN.
Figure 2.15 Subnet in WAN of Basic Subnet Example: In this example, AscenLink uses port 2 as its interface to WAN 1. IP addresses 211.21.9.1~211.21.9.5 are on AscenLink. The rest of the IP addresses in this subnet are between AscenLink and an ISP router whose address is 211.21.9.254. The actual settings of the various tables are shown as below: AscenLink User Manual 2-25
Figure 2.16 Subnet in WAN Setting of Basic Subnet Note: AscenLink assumes that all the unlisted IP addresses are in WAN (3) Subnet in DMZ of Basic Subnet A public subnet placed in DMZ is called Subnet in DMZ. Chapter 2 System 2-26
Figure 2.17 Subnet in DMZ of Basic Subnet Example: In this example, AscenLink uses port 5 as its interface to DMZ with the IP address 140.112.8.254. Therefore, the default gateway of the subnet in DMZ is 140.112.8.254. If you want to provide DHCP service to host machines in DMZ, you need to turn it on by checking the Enable DHCP flag. Then you have to specify an IP range in DHCP Range (Starting Address to Ending Address) for DHCP host to use. If you want to assign a static IP to a machine, you need to fill in the sub-fields MAC Address and the IP Address in the Static Mapping field. AscenLink User Manual 2-27
Figure 2.18 Subnet in DMZ Setting of Basic Subnet Note: AscenLink
assumes that all the unlisted IP addresses are in DMZ (4) Subnet in WAN and DMZ of Basic Subnet A public subnet in both WAN and DMZ is called Subnet in WAN and DMZ. You have to specify IP addresses on Localhost or in WAN. AscenLink assumes that all the unlisted IP addresses are in DMZ. Example: In this example, IP address 139.8.1.20~30 is on AscenLink. IP addresses 139.8.1.10~19 and 139.8.1.254 are in WAN. The rest IP addresses of subnet 139.8.1.X are in DMZ using the technique of Public IP Pass-Through. In the example, port 2 and port 5 are connected by a dotted line. This means a subnet (i.e., 139.8.1.X) resides across these two ports. AscenLink will use the technique of Proxy ARP to bridge them. Chapter 2 System 2-28 If you want to provide DHCP service to machines in DMZ, you need to turn it on by checking the Enable DHCP flag. Then you have to specify an IP range (Starting Address to Ending Address) for DHCP host to use. If you want to assign a static IP to a machine, you need to fill in the sub-fields MAC Address and the IP Address in the Static Mapping field. Internet ISP 139.8.1.254 AscenLink 139.8.1.10~139.8.1.19 Router 139.8.1.20~139.8.1.30 WAN DMZ 139.8.1.x/24
Figure 2.19 Subnet in WAN and DMZ of Basic Subnet AscenLink User Manual 2-29
Figure 2.20 Subnet in WAN and DMZ Setting in Basic Subnet Most likely the IP address 139.8.1.254 has already been defined as the default gateway for this WAN link. However, for better readability we will put it in the list as well. (5) Subnet on Localhost of Basic Subnet A whole public subnet on AscenLink is called Subnet on Localhost. All the public IP addresses in this subnet can be used for virtual servers. Chapter 2 System 2-30
Figure 2.21 Subnet on Localhost of Basic Subnet
Figure 2.22 Subnet on Localhost Setting of Basic Subnet Example: This example shows that the whole subnet 210.33.50.X is on AscenLink. Fill in the IP address, and 255.255.255.0 as subnet mask. AscenLink User Manual 2-31 (6) Subnet in WAN of Static Routing Subnet If there are two public subnets in a WAN (one directly connected to AscenLink and the other to AscenLink through a router), then you have to specify the second subnet as Subnet in WAN of Static Routing Subnet. In a real world network structure, this case is very rare. Example: There are two subnets in the WAN. AscenLink connects to subnet 140.4.1.X directly and to subnet 139.3.1.X through a router whose IP address is 140.4.1.254.
Figure 2.23 Subnet in WAN of Static Routing Subnet
Figure 2.24 Subnet in WAN Setting of Static Routing Subnet Chapter 2 System 2-32 (7) Subnet in DMZ of Static Routing Subnet A public subnet in DMZ that connects to AscenLink through a router is called Subnet in DMZ of Static Routing Subnet. Example: AscenLink connects to subnet 140.128.8.X through router at 139.3.3.2.
Figure 2.25 Subnet in DMZ of Static Routing Subnet
Figure 2.26 Subnet in DMZ Setting of Static Routing Subnet AscenLink User Manual 2-33 2.2.3.2 Bridge Mode: One Static IP Bridge mode means you are not getting a whole subnet from your ISP. Instead you are getting one or more IP addresses (static or dynamic). Therefore, a bridging device instead of a router connects AscenLink to the ISP of the WAN. Example: In this case, your WAN link is a 512K/512K ADSL. You receive one static IP address 211.21.40.32 out of subnet 211.21.40.X. Therefore, the ATUR is working in bridge mode.
Figure 2.27 Bridge Mode: One Static IP Chapter 2 System 2-34
Figure 2.28 Bridge Mode: One Static IP Setting 2.2.3.3 Bridge Mode: Multiple Static IP If you receive more than one static IP addresses in bridge mode from your ISP, then you need to set the WAN Type to Bridge Mode: Multiple Static IP. Example: In this case, you receive three static IP addresses 211.21.40.32 ~ 211.21.40.34. These addresses are assigned to port 2. The gateway of ISP is 211.21.40.254. If you want to provide DHCP service to machines in DMZ, you need to turn it on by checking the Enable DHCP flag. Then you have to specify an IP range (Starting Address to Ending Address) for DHCP to use. If you want to assign a static IP to a machine in the subnet, you need to fill in the sub-fields MAC Address and the IP Address in the Static Mapping field. There is no public IP addresses in WAN or DMZ so the fields IP(s) in WAN and IP(s) in DMZ are empty. Otherwise, you need to list them accordingly. AscenLink User Manual 2-35
Figure 2.29 Bridge Mode: Multiple Static IP Chapter 2 System 2-36
Figure 2.30 Bridge Mode: Multiple Static IP Setting AscenLink User Manual 2-37 2.2.3.4 Bridge Mode: PPPoE PPPoE is a very popular bridge mode protocol for ADSL. AscenLink gets a dynamic IP address every time it logs into the ISP. Basic Setting is as follows:
Figure 2.31 Bridge Mode: PPPoE Setting To set up PPPoE, first fill in generic parameters such as Down Stream, Up Stream bandwidth, and WAN Port as well as PPPoE specific parameters such as User Name and Password (from your ISP), service name, MTU value etc. When specifying the field of [IP Adress], note that: keep the filed blank if you use ADSL(Dynamic IP) service, whereas, type in the IP you get from ISP if you use ADSL(Static IP) service. Then connect ADSL MODEM port to AscenLink port, e.g. port 2. In addition, check Redial Enable to enable Redial. Since certain ISPs automatically reconnect to the network in a certain time interval, this action will avoid simultaneous redialing of WAN links, thus, stagger WAN redial time. Chapter 2 System 2-38 2.2.3.5 Bridge Mode: DHCP Client Another protocol to support the dynamic IP address is DHCP. In this case, AscenLink is a client using DHCP host to acquire a dynamic IP address from an ISPs DHCP server. The following is an example of how you set it up.
Figure 2.32 Bridge Mode: DHCP Client Setting AscenLink User Manual 2-39 2.2.4 WAN/DMZ Private Subnet DNS Server VLAN and Port Mapping WAN Setting WAN / DMZ Private Subnet LAN Private Subnet System Network Setting Summary WAN Link Health Detection Port Speed / Duplex Setting Diagnostic Tools Central Management Date / Time Service Statistics Log Language Backup Line Setting IP Grouping Service Grouping Busyhour Setting Optimum Route Detection Administration
Figure 2.33 The Location of WAN/DMZ Private Subnet on the Menu Bar In this section, we will discuss how to configure private subnets on AscenLink. The configuration methods and the user interfaces are very similar to their counterparts in public subnets. There are also four types of private subnet for Basic Subnet: Subnet in WAN Subnet in DMZ Subnet in WAN and DMZ Subnet on Localhost Chapter 2 System 2-40
Figure 2.34 Types of Subnets in WAN/DMZ There are two types of private subnet for Static Routing Subnet: Subnet in WAN Subnet in DMZ
Figure 2.35 Types of Subnets in Static Routing Subnet (1) Subnet in WAN of Basic Subnet A private subnet placed between AscenLink and an ISPs router is called Subnet in WAN. This type of subnets usually occurs when your servers have to be located outside of AscenLink (in WAN). Example: In this example, a private subnet 192.168.3.X is located between AscenLink and a router whose IP address is 192.168.3.254. AscenLink also gets one IP address 192.168.3.1 from this subnet. This is indicated in the field IP(s) on Localhost. AscenLink User Manual 2-41
Figure 2.36 Subnet in WAN of Basic Subnet in WAN/DMZ Note: AscenLink
assumes that all the unlisted IP addresses are in WAN.
Figure 2.37 Subnet in WAN Setting of Basic Subnet in WAN/DMZ Chapter 2 System 2-42 (2) Subnet in DMZ of Basic Subnet A private subnet in DMZ is called Subnet in DMZ. This type of subnet is usually for machines that have to be isolated in DMZ for security or other reasons. Example: In this example, we have a whole private subnet 192.168.4.X in DMZ. Port 5 of AscenLink is the interface to DMZ.
Figure 2.38 Subnet in DMZ of Basic Subnet in WAN/DMZ AscenLink User Manual 2-43
Figure 2.39 Subnet in DMZ Setting of Basic Subnet in WAN/DMZ If you want to provide DHCP service to host machines in DMZ, you need to turn it on by checking the Enable DHCP flag. Then you have to specify an IP range (Starting Address to Ending Address) for DHCP host to use. If you want to assign a static IP to a machine, you need to fill in the sub-fields MAC Address and the IP Address in the Static Mapping field. Note: AscenLink assumes that all the unlisted IP addresses are in DMZ. (3) Subnet in WAN and DMZ of Basic Subnet A private subnet in both WAN and DMZ is called Subnet in WAN and DMZ. You have to specify IP addresses on Localhost or in WAN. AscenLink assumes that all the unlisted IP addresses are in DMZ. Example: In this example, IP addresses 192.168.5.20~30 are on AscenLink. IP addresses 192.168.5.10~19 and 192.168.5.254 are in WAN. The rest of the IP Chapter 2 System 2-44 addresses of subnet 192.168.5.X are in DMZ. In the example, port 2 and port 5 are connected by a dotted line, which means a subnet (i.e., 192.168.5.X) resides across these two ports. AscenLink will use the technique of Proxy ARP to bridge them. Internet ISP 192.168.5.254 AscenLink 192.168.5.10 ~ 192.168.5.19 Router 192.168.5.20~192.168.5.30 WAN DMZ 192.168.5x / 24
Figure 2.40 Subnet in WAN/DMZ of Basic Subnet in WAN/DMZ AscenLink User Manual 2-45
Figure 2.41 Subnet in WAN/DMZ Setting of Basic Subnet in WAN/DMZ Chapter 2 System 2-46 (4) Subnet on Localhost of Basic Subnet A whole private subnet on AscenLink is called Subnet on Localhost. All the IP addresses in this subnet can be used as virtual servers. Internet ISP AscenLink Router 192.168.6.0 / 24
Figure 2.42 Subnet on Localhost of Basic Subnet in WAN/DMZ
Figure 2.43 Subnet on Localhost Setting of Basic Subnet in WAN/DMZ AscenLink User Manual 2-47 (5) Subnet in WAN of Static Routing Subnet You have to select this type if you have a private subnet located in WAN. Example: There are two subnets in the WAN. AscenLink connects to subnet 140.4.1.X directly and to subnet 192.168.1.X through a router whose IP address is 140.4.1.254.
Figure 2.44 Subnet in WAN of Static Routing Subnet in WAN/DMZ
Figure 2.45 Subnet in WAN Setting of Static Routing Subnet in WAN/DMZ The Gateway field is the IP address of the router connecting AscenLink to the subnet 192.168.1.X. Chapter 2 System 2-48 (6) Subnet in DMZ of Static Routing Subnet A private subnet in DMZ that connects to AscenLink through a router is called Subnet in DMZ of Static Routing Subnet. Example: AscenLink connects to subnet 192.168.99.X through the router at 192.168.34.50.
Figure 2.46 Subnet in DMZ of Static Routing Subnet in WAN/DMZ
Figure 2.47 Subnet in DMZ Setting of Static Routing Subnet in WAN/DMZ AscenLink User Manual 2-49 2.2.5 LAN Private Subnet DNS Server VLAN and Port Mapping WAN Setting WAN / DMZ Private Subnet LAN Private Subnet System Network Setting Summary WAN Link Health Detection Port Speed / Duplex Setting Diagnostic Tools Central Management Date / Time Service Statistics Log Language Backup Line Setting IP Grouping Service Grouping Busyhour Setting Optimum Route Detection Administration
Figure 2.48 The Location of LAN Private Subnet on the Menu Bar Private subnets in LAN are very common in most network environments. Similarly a private subnet can connect to AscenLink directly or through a router. (1) Basic Subnet The table of Basic Subnet allows you to specify one or more private subnets that connect to AscenLink directly. Example: In this example, port 3 is assigned to be the network interface to LAN. It has a private IP address 192.168.34.254 which is specified in the IP(s) on Localhost field. To machines of this subnet, this IP address is their gateway. Chapter 2 System 2-50
Figure 2.49 LAN Private Subnet / Basic Subnet If you want to provide DHCP service to machines in LAN, you need to turn it on by checking the Enable DHCP flag. Then you have to specify an IP range (Starting Address to Ending Address) for DHCP host to use. In this case, the DHCP range is from 192.168.34.175 to 192.168.34.199. If you want to assign a static IP to a machine, you need to fill in the sub-fields MAC Address and the IP Address in the Static Mapping field. AscenLink User Manual 2-51
Figure 2.50 LAN Private Subnet / Basic Subnet Setting (2) RIP Settings AscenLink supports RIP (Routing Information Protocols) for both version 1 and 2. RIP V1 is the basic definition while V2 has some functional enhancements. Please refer to IETFs official documents for the complete definition of RIP. If your private LAN subnet supports RIP, you need to also enable AscenLinks RIP function, by doing as follows: Chapter 2 System 2-52
Figure 2.51 LAN Private Subnet/ RIP Configuration You need to make sure the RIP version in AscenLink is the same as that used in the private LAN subnet. In addition, if V2 is used with authentication turned on, you need to input the password into the Authentication password field. This field should be blank if not. (3) OSPF Settings AscenLink supports OSPF (Open Shortest Path First) over LAN. OSPF is an Internal Gateway Protocol (IGP), using link-state database. Unlike RIP updates, OSPF link-state database updates are only sent when routing changes occur, instead of periodically, and the link-state database is updated instantly, rather than gradually, as state information is timed out. OSPF routers exchange information (of neighbour routers or of other routers) on a link using packets that follow a well-defined fixed format. AscenLink User Manual 2-53
Figure 2.52 LAN Private Subnet/ OSPF Setting Fields Description OSPF Interface Displays LAN interfaces in the network. Check the box to enable OSPF protocol over this interface. Area Setting Network is logically divided into a number of areas based on subnets. Administrators are allowed to configure area ID, which accepts numbers or IPs only. Authentication Setting Routers in diffrent areas require authenticating to communicate with each other. Authentication has configurable types: Null, Simple Text Password, MD5. Router Priority Specify router priority. Router that sends the highest OSPF priority becomes DR (Designated Router). The value of the OSPF Router Priority can be a number between 0 and 255. Hello Interval This value sets the interval, in seconds, that the router sends out the OSPF keepalive packets which let other routers know the router is up. Dead Interval This value sets the length of time, in seconds, that OSPF neighbours will wait without receiving an OSPFkeepalive packet from a neighbour before declaring this neighbour router is down. Chapter 2 System 2-54 Retransmit Interval This value sets the interval, in seconds, between retransmission of Link UP. When routers fail to transmit hello packets, it will retransmit packets in the defined interval. Authentication Type This pull-down box will specify whether the router will perform authentication of data passing the LAN. Choices are: Null, Simple Text Password, MD5. Table 2.7 OSPF Settings Table (4) Static Routing Subnet A private subnet in a LAN that connects to AscenLink through a router is called Subnet in LAN of Static Routing Subnet. It is almost the same as a private subnet in DMZ of Static Routing Subnet. The only difference is that one is in a LAN and the other is in DMZ. AscenLink User Manual 2-55 Example: AscenLink connects to subnet 192.168.99.X through the router at 192.168.34.50.
Figure 2.53 LAN Private Subnet / Static Routing Subnet
Figure 2.54 LAN Private Subnet / Static Routing Subnet Setting Chapter 2 System 2-56 2.3 WAN Link Health Detection
Figure 2.55 The Location of System/WAN Link Health Detection on the Menu Bar This function allows MIS managing personnel to configure how WAN link health detection is performed. By fine-tuning certain parameters, MIS personnel can adjust AscenLink to match a particular network structure and/or a particular ISP. For WAN link health detection, AscenLink
sends out ICMP or TCP packets and monitors responses to determine the status of those links. In the WAN Link Health Detection page, the following parameters are available: Ignore Inbound Traffic When this feature is enabled, AscenLink will not use inbound WAN traffic to assess the WAN link status. When this feature is disabled, AscenLink assumes a AscenLink User Manual 2-57 healthy WAN link and stop monitoring ICMP and TCP packets after it detects any WAN traffic. Detection Period in Second This is the period between two consecutive ICMP/TCP packets sent to a WAN link. The shorter the period is the faster AscenLink can detect changes of link connection status, but it will also consume more bandwidth. Number of Hosts Picked per Detection For each detection period, AscenLink picks a fixed number of hosts from the Ping List and sends one test packet (ping) to each selected host. The TTL (time to live) of the test packet is specified in the Hops field of Ping List. Number of Retries If AscenLink does not receive any response in a period, it will retry a number of times. If all retries fail, then it will claim that the WAN link is down. Ping List Ping List contains a list of hosts and their TTL values in the Hops field. AscenLink randomly picks hosts from this list to carry out the health detection. The normal number of Hops is 3. This list is used when ICMP packets are being sent in the network. TCP Connect List TCP Connect List contains a list of hosts and their information. AscenLink randomly picks hosts from this list to carry out the health detection. Port numbers can also be assigned to each host. This list is used when TCP packets are being sent in the network. Chapter 2 System 2-58 2.4 Optimum Route Detection
Figure 2.56 The Location of System/ Optimum Route Detection on the Menu Bar This function is used to increase the efficiency of communication among different ISPs. By making the proper configuration in this page, users can find the best link so that the system efficiency is enhanced. AscenLink makes use of ICMP and TCP packets to test the health condition of connections, so that the best WAN link can be detected by the Optimum Route algorithm. AscenLink provides two detection methods which are Static IP Table and Dynamic Detect. You can use any sequential combination of them to work out which link is the best. AscenLink User Manual 2-59 The Static IP Table is an IP address database developed by Xtera. The optimum route is detected by matching the IP address in the table. You can add or delete the IP addresses from the Static IP table, and query whether an address is included in the table. The table below reveals the settings of the Static IP table: Field Value Description Table Name - Define a meaningful name for the Static IP-ISP Table Upload - Click "Browse" button to choose a static IP table file, and then click "upload" button to upload it to AscenLink. Subnet Address <IP Address> Input a subnet address for action "add to" or "remove from". The format is: 202.99.0.0/255.255.255.0 or 202.99.0.0/24. Note: Adding a single IP address or inputting subnet address format such as "/255.255.255.255" and "/32" are not allowed. Action <add to> <remove from> add to: Add an address to the static IP table. remove from: Remove an address from the static IP table. Parameter WAN1, WAN2... Tick the corresponding WAN link number to select the WAN link associated with the static IP table. IP Query <IP Address> Check whether a single IP address is in the static IP table. The format is 202.99.96.68. Table 2.8 Static IP table setting of Optimum Route Detection Chapter 2 System 2-60 The setting of Dynamic Detect is illustrated as the table below: Field Value Description Optimum Route Policy Static IP Table Dynamic Detect Static, Dynamic Dynamic, Static Choose the method used for optimum route detection. There are four options: - Static IP Table: Upload a static IP table of ISPs for optimum route detection. - Dynamic Detect: Apply dynamic detection by setting the Detection Protocol (ICMP, TCP), Detection Period, Number of retries, and Cache aging period. - Static, Dynamic: Apply the static IP table first and then apply dynamic detection mechanism. - Dynamic, Static: Apply dynamic detection mechanism first and then apply static IP table. Detection Protocol <ICMP> <TCP> Choose the Protocol for Optimum Route Detection from ICMP and TCP. It is ICMP by default. Detection period, in seconds <Seconds> If the AscenLink detection is failed, the system will detect again after a period of time. "3" is a good empirical number for period. Number of retries - If AscenLink does not receive any response in a period of time, it will retry a number of times. "3" is a good empirical number for retries. Cache aging period, in minutes <Minutes> This value is the time that Cache is kept after the best link is detected. After this period of time, system will detect the best link again. The default value is 2880mins, 2days. Weight of Round Trip Time: Weight of Load - This value is used for calculating the best link. It shows the weight of the RTT and the load while calculating the best link. Table 2.9 Dynamic detection setting of Optimum Route Detection AscenLink User Manual 2-61 2.5 Port Speed/Duplex Setting
Figure 2.57 The Location of System/Port Speed Duplex Setting on the Menu Bar This function allows you to do two things. First, it allows you to set port speed and duplex of each port on AscenLink. Second, it also shows the current port speed and duplex setting. Most of the network devices can auto-negotiate port speed and duplex with AscenLink. Therefore, initially you should set all the ports to Auto. However, if you encounter compatibility problems with other network devices and have to manually change the port speed or duplex, you can do so in this page. Chapter 2 System 2-62 Field Description Port Name A list of all physical ports on your AscenLink Status Current status of the port. It indicates whether the port can detect any connection with the other end of the line (e.g. a hub or switch). Speed The current speed of the port. This can be a manually set value or an auto-negotiated value. Duplex The current duplex of the port. This can be a manually set value or an auto-negotiated speed. Setting The drop-down box of this field contains all possible speed/duplex combinations supported by this port. MAC Address The corresponding MAC address of the network port Table 2.10 Port Speed/Duplex Setting AscenLink User Manual 2-63 2.6 Backup Line Setting
Figure 2.58 The Location of System/Backup Line Setting on the Menu Bar This function allows you to configure the behavior of backup lines. Backup lines are WAN links that are inactive by default. They become active when certain conditions are met. They continue to be active until those conditions disappear. One possible use of a backup line is to reduce the operational cost of a WAN link if it is charged by bandwidth or connecting time. By marking it as a backup line, we could effectively give preference to other WAN links. The backup line will only be used when needed. There are two tables in this page. One contains threshold parameters, the other contains enabling rules for backup lines. Chapter 2 System 2-64 Threshold parameters: Field Unit Description Backup Line Enable Time <seconds> The wait time between the main line going down and the backup line becoming active. Backup Line Disable Time <seconds> The wait time between the main line coming back alive and the backup line becoming inactive. Table 2.11 Threshold Parameters Backup Line Rules table: Field Value Description Main Line WAN1, WAN2 One or more WAN links can be specified as the main line(s) of this backup rule. Backup Line WAN1, WAN2 One WAN link should be specified as the backup line of this backup rule. Algorithm
- All fail - One fails - Inbound bandwidth usage reaches - Outbound bandwidth usage reaches - Total traffic reaches There are 5 different backup activation conditions: All fail: when all the main lines fail. One fails: when one of the main lines fails. Inbound bandwidth usage reaches: when the inbound bandwidth consumption reaches a certain level defined as a percentage of total bandwidth. Outbound bandwidth usage reaches: when the outbound bandwidth consumption reaches a certain level defined as a percentage of total bandwidth. Total traffic reaches: when the total bandwidth consumption reaches a certain level defined as a percentage of total bandwidth. Parameter <%> When Algorithm is one of the Inbound bandwidth usage reaches, Outbound bandwidth usage reaches, or Total bandwidth usage reaches, this parameter is used to specify the percentage of total bandwidth. Table 2.12 Backup Line Rules AscenLink User Manual 2-65 2.7 IP Grouping
Figure 2.59 The Location of System/IP Grouping on the Menu Bar AscenLink offers a variety of services. These services will be discussed in the next chapter. In order to help MIS personnel configure services efficiently, AscenLink provides a few management tools. IP Grouping is one of them. This function allows you to assign a name to a group of IP addresses. Later on when you are asked to specify one or more IP addresses, you can use the name of an IP group instead. The name of this IP group will automatically show up in the IP address selection list if the IP group is enabled. Chapter 2 System 2-66 IP Grouping table: Field Description Group Name The name of this IP group Enable Tick the checkbox to turn on this IP group. Show/Hide Detail
Push the Show Detail button to show Rules Setting table. Push the Hide Detail button to hide the Rules Setting table. Table 2.13 IP Grouping Rules Setting Table: Field Value Description E - Rule enabling flag IP address <IP address> One single IP address, or an IP address range in the format of xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy, Or a subnet in the format of xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy Action belong to not belong to Define whether or not these IP addresses belong to this IP group. Table 2.14 Rules Setting of IP Grouping AscenLink User Manual 2-67 2.8 Service Grouping
Figure 2.60 The Location of System/Service Grouping on the Menu Bar This function allows you to assign a name to a group of TCP ports, UDP ports, and/or ICMP. Later on when you are asked to specify a port, you can use the name of the service group instead. The name of a service group will automatically show up in the port selection list if the service group is enabled. Chapter 2 System 2-68 Service Grouping table: Field Value Description Group Name <name> The name of the service group Enable - Tick the checkbox to turn on this service group. Hide Detail - Push the Show Detail button to show Rules Setting table. Push the Hide Detail button to hide Rules Setting table. E - Rule enabling flag Service ICMP TCP@ UDP@ This field can contain ICMP, a set of TCP ports, and/or a set of UDP ports. A port range should be in the format of xxx-yyy. Action belong to not belong to Define whether or not these ports belong to this service group. Figure 2.61 Service Grouping For example, you can set up a service group called MSN File Transfer. Its ports are TCP 6891 to 6900. You need to fill TCP@6891-6900 into Service field. AscenLink User Manual 2-69 2.9 Busyhour Setting
Figure 2.62 The Location of System/Busyhour Setting on the Menu Bar Busyhour Setting is very important from a MIS managers point of view. It provides a tool for you to define two time segments: busy-hour and idle-hour. All other rule-based services such as Bandwidth Management and Auto-Routing can take advantage of this function. For example, you can define 9:00 am to 5:00 pm, Monday through Friday as busy-hour, then reserve bandwidth to business-related network traffic during busy-hour and relax the rule during idle-hour. Chapter 2 System 2-70 Busyhour Setting Table: Field Value Description Default Type
Idle Busy Define default type to be either Idle or Busy hour. Rule - You set the time segment rules in this table. They are matched in sequence on a first-match basis. If none of the rules matches, the default type is used. E Rule enabling flag Day of Week
Sunday Monday Tuesday Wednesday Thursday Friday Saturday Any Day Day of the week From <Hour/Minute> The start time To <Hour/Minute> The end time Type Busy Idle If the current time matches the day of the week and in between From and To time, then Type field applies. Table 2.15 Busy-hour Setting Example:
Figure 2.63 A Busy-hour Setting Example AscenLink User Manual 2-71 In this example, the busy-hour is defined to be between 9:00 am to 6:00 pm, Monday through Saturday. The rest is idle-hour. Chapter 2 System 2-72 2.10 Diagnostic Tools
Figure 2.64 The Location of System/Diagnostic Tools on the Menu Bar ARP Enforcement: ARP Enforcement updates ARP tables of servers and network devices around AscenLink. When the Enforce button is pushed, AscenLink will sends out ARP packets to the surrounding servers or network devices to update their ARP tables. This is necessary only if certain equipments in DMZ cannot connect to the Internet properly after initial setup of AscenLink. IP Conflict Test: IP Conflict Test will help you detect if the location of any machines on the network conflicts with the DMZ/WAN settings of Network Setting category on AscenLink. AscenLink User Manual 2-73 Push Test button to begin the test. The result of the test is one of the followings: Everything is ok. AscenLink discovers that a machine in DMZ conflicts with Network Setting on AscenLink. For example, a public IP address should be in WAN but is discovered in DMZ. Then an error message with the conflicting IP address and MAC address of the machine will be displayed. AscenLink discovers that a machine in WAN conflicts with Network Setting on AscenLink. For example, a public IP address should be in DMZ but is discovered in WAN. Then an error message with the conflicting IP address and MAC address of the machine will be displayed. Clean Session Table (Only Non-TCP Sessions): Clean Session Table can eliminate non-TCP sessions in AscenLinks internal session table. AscenLink uses the timing method to manage some of the protocols. In this case, each session only ends when it reaches the timeout value. If the session doesnt reach the timeout value, new configurations wont take effect unless the administrator execute Clean to remove the old session and make the new configurations work immediately. Ping: Ping is used to detect network conditions by sending ICMP packets to a target device. You may specify a target device in the Target IP field. It accepts either an IP address or a host name. Select a network interface (WAN, LAN, or DMZ). If it is WAN, assign WAN link number in Index field. Chapter 2 System 2-74 Details on ICMP error message and ping are outside the scope of this manual. Please refer to other associated documents for more information. Note: If a host name is used in the Target IP field, then a DNS server has to be specified in [System] -> [Network Setting]->[DNS Server]. Trace Route: Trace Route is used to detect network conditions by showing the routing path from AscenLink to the target device. You may specify a target device in the Target IP field. It accepts either an IP address or a host name. Select a network interface (WAN, LAN, or DMZ). If it is WAN, select WAN link number in the Index field. Note: If a host name is used in Target IP field, then a DNS server has to be specified in [System] -> [Network Setting]->[DNS Server]. Arping: Arping is used to detect the MAC address of a computer. You may specify a target device in the Target IP field. It accepts either an IP address or a host name. Select a network interface (WAN, LAN, or DMZ). If it is WAN, select WAN link number in the Index field. For ARP related error messages, please refer to other materials. Note: If a host name is used in Target IP field, then a DNS server has to be specified in [System]->[Network Setting]->[DNS Server]. ARP Table Show & ClearARP Table Show & Clear can show or clear the associated ARP information of the selected port. You can select the port number from the drop-down menu and click the button "Show" to display the associated ARP information of the selected port. AscenLink User Manual 2-75 Select the port number from the drop-down menu and click the button "Clear" to clean up the associated ARP information of the selected port. There will be a confirmation message popping up to make sure your operation is correct. Nslookup Tool: Nslookup is used to inquire domain names. Enter host in Target Domain and then select one from Type drop-down list. Choices are: Any, A, CNAME, HINFO, MX, NS, PTR, SOA. And select from Server drop-down list as: Internal DNS, Multihoming, Other Servers. Click NSlookup to start inquiring session. Domain name of this host will show in the box. Click Stop to hault the session.
Chapter 2 System 2-76 2.11 Date/Time
Figure 2.65 The Location of System/Date/Time on the Menu Bar In this page, you can set up time related configurations. You can set the date in the format of year/month/day, the local time in the format of hour:minute:second, 24-hour system. The second part is time zone information. You should select the region first and then the city you are located in (or a city of the same time zone). AscenLink can use the NTP protocol to get time from the Internet. You can select a time server from the list or add your preferred time servers to the list. With NTP, AscenLink automatically adjusts its time when necessary. Besides, you can push the Synchronize Time button to adjust the time immediately. AscenLink User Manual 2-77 2.12 Central Management It enables users to configure whether to perform central management over AscenLink. Central management is to manage multiple units of AscenLink on a single CMT server, to decrease work load of administrators. This page requires registry information of AscenLink on CMT server.
Figure 2.66 The Location of System/Administration on the Menu Bar Field Description Enable CMT Check the box to enable central management. CMT IP Specify CMT IP. Key Specify the key. This will enable CMT server to authenticate AscenLink. Key Verification Confirm the key above. Group Specify the group to which AscenLink belongs on CMT. Table 2.16 Central Management Setting Chapter 2 System 2-78 2.13 Administration
Figure 2.67 The Location of System/Administration on the Menu Bar In this page, you can do a few administrative tasks. First, you can change the password of Administrator and Monitor accounts. Every AscenLink comes with the same default password. To avoid any security risks, it is strongly recommended to change the password before putting your AscenLink online. From time to time, you might receive the AscenLink firmware update/downgrade from Xtera or your system integrator. Just push the Update/Downgrade button on the screen and follow the instructions to update. You can save your current configurations to a file and restore it later. We recommend that you save your working configuration before modifying the AscenLink User Manual 2-79 configuration. In case of configuration error (such as rules that block you from accessing AscenLink anymore), you can always reset the machine to the factory default state using the console command and quickly restore to your original configuration. You can reset AscenLink to its factory default state. After doing this, you will lose your entire customized configuration. Finally, you can reboot AscenLink in Maintenance part. Due to web interface limitations, there will not be any messages after you have rebooted the system. Wait two minutes or so and try to re-connect to AscenLink by using the browser. Administrator Password: Here, you can add, delete, or modify administrators account and password. Field Value Description Select Account <New Administrator Group> For configuration of old and new accounts. If the account selected is one that is currently used, the field Add Account will become Set Account. New Account To add a new user, please insert the new user ID here. New Password To change passwords of old and new accounts, enter the new passwords here. Password Verification Please re-enter the new password for verification. Table 2.17 Administration Password Setting Chapter 2 System 2-80 Monitor Password: Here, you can add, delete, or modify Monitors account and password. Field Value Description Select Account <New Monitor Group> For configuration of old and new accounts. If the account selected is one that is currently used, the field Add Account will become Set Account. New Account To add a new user, please insert the new user ID here. New Password To change passwords of old and new accounts, enter the new passwords here. Password Verification Please re-enter the new password for verification. Table 2.18 Monitor Password Setting Firmware Update: Click Update/Downgrade to start the firmware update/downgrade process. Follow the onscreen instructions as mentioned in Appendix 2. Configuration File: Click Save to save current configuration into a file. Click Restore to restore the configuration back from the saved configuration file. See Appendix 2 for more information. Maintenance: Click Factory Default to reset AscenLink configuration to its factory default. You can do the same operation using resetconfig command in console. Click Reboot to reboot AscenLink. See Appendix 1 for more information on console. Optional Function: AscenLink User Manual 2-81 AscenLink supports optional functions:"Layer 7 Bandwidth Management" and "Tunnel Routing". Check box(es), enter licence key, and then click "Enable" to enable this function. Note: ONLY Simplified Chinese version has "Layer 7 Bandwidth Management" option. The upgrade will take effect after rebooting the system. In [Optional Fuction], users will find function name and whether this function is enabled. "Layer 7 Bandwidth Management" option enables AscenLink to manage network traffic and bandwidth based on Layer 7 protocol. Whereas, Tunnel Routing option enables to establish a number of tunnels based on AscenLink patented technology TR (Tunnel Routing). TR allows packets of particular groups to pass over these tunnels from one device to another, delivering nonstop transmission of packets. AscenLink offers trial edition. Enter Demo License Key to get 30-day trial of Layer 7 Bandwidth Management or Tunnel Routing.
Chapter 3 Service 3-2 Figure Figure 3.1 The Location of Service on the Menu Bar........................................... 3-8 Figure 3.2 The Location of Service/Firewall on the Menu Bar ............................. 3-9 Figure 3.3 Network Architecture for Firewall Service............................................ 3-12 Figure 3.4 Network Architecture for Firewall Service 2......................................... 3-13 Figure 3.5 The Location of Service /NAT on the Menu Bar................................ 3-15 Figure 3.6 The Settings of NAT Rules .................................................................. 3-17 Figure 3.7 NAT Setting.......................................................................................... 3-17 Figure 3.8 Network Architecture for No-NAT ........................................................ 3-18 Figure 3.9 The Location of Service /Persistent Routing on the Menu Bar ......... 3-19 Figure 3.10 Network Architecture for Persistent Routing 1..................................... 3-22 Figure 3.11 Network Architecture for Persistent Routing 2..................................... 3-23 Figure 3.12 The Location of Service /Auto Routing on the Menu Bar.................. 3-25 Figure 3.13 Network Architecture for Auto Routing 1.............................................. 3-29 Figure 3.14 Network Architecture for Auto Routing 2.............................................. 3-31 Figure 3.15 Network Architecture for Auto Routing Example 3 .............................. 3-35 Figure 3.16 The Location of Service/Virtual Server on the Menu Bar.................. 3-40 Figure 3.17 Network Architecture for Virtual Server 1 ............................................ 3-43 Figure 3.18 Network Architecture for Virtual Server 2 ............................................ 3-45 Figure 3.19 The Location of Service/Inbound BM on the Menu Bar .................... 3-47 Figure 3.20 The Screenshot of Inbound BM Classes............................................. 3-48 Figure 3.21 Network Architecture for Inbound BM 1............................................... 3-51 Figure 3.22 Network Architecture for Inbound BM 2............................................... 3-53 Figure 3.23 The Location of Service /Outbound BM on the Menu Bar ................ 3-56 Figure 3.24 Network Architecture for Outbound BM 1............................................ 3-59 Figure 3.25 Network Architecture for Outbound BM 2............................................ 3-61 Figure 3.26 The Location of Service /Connection Limit on the Menu Bar............ 3-63 Figure 3.27 The Screenshot of Connection Limit ................................................... 3-64 Figure 3.28 Example of Connection Limit ............................................................... 3-65 Figure 3.29 The Location of Service /Cache Redirect on the Menu Bar.............. 3-66 Figure 3.30 The Settings of Cache Redirect........................................................... 3-67 Figure 3.31 Sequence of the Requests and Responses in Cache Miss Case .... 3-69 Figure 3.32 The Sequence of the Requests and Responses in Cache Hit Case 3-70 Figure 3.33 The Location of Service /Tunnel Routing on the Menu Bar .............. 3-71 Figure 3.34 Example 2 of Tunnel Routing .............................................................. 3-82 AscenLink
User Manual 3-3 Figure 3.35 Example 3 of Tunnel Routing............................................................... 3-85 Figure 3.36 Example 4 of Tunnel Routing............................................................... 3-89 Figure 3.37 The Location of Service / Multihoming on the Menu Bar................... 3-95 Figure 3.38 Global Setting in Multihoming Policy.................................................... 3-97 Figure 3.39 The Settings of Multihoming Policy...................................................... 3-98 Figure 3.40 Domain Setting................................................................................... 3-100 Figure 3.41 Enable Relay in Multihoming Policy................................................... 3-101 Figure 3.42 Multihoming Example 1: Network Architecture .................................. 3-102 Figure 3.43 Multihoming Example 2: Network Architecture .................................. 3-104 Figure 3.44 The Location of Service / Internal DNS on the Menu Bar ............... 3-107 Figure 3.45 The Location of Service / SNMPon the Menu Bar........................... 3-109 Figure 3.46 The Location of Service / IP-MAC MAPPING on the Menu Bar...... 3-111 Chapter 3 Service 3-4 Table Table 3.1 The Description of the Fields on Firewall Page....................................3-11 Table 3.2 Firewall Settings of Example 1 ............................................................ 3-12 Table 3.3 Firewall Settings Example 2 ................................................................ 3-14 Table 3.4 The Description of the Fields on the NAT Page .................................. 3-16 Table 3.5 The Description of the Fields on the Persistent Routing Page............ 3-21 Table 3.6 The Settings for Persistent Routing Example 1................................... 3-23 Table 3.7 The Settings for Persistent Routing Example 2................................... 3-24 Table 3.8 The Description of the Fields in the Auto Routing Policy Table........... 3-27 Table 3.9 The Description of the Fields in the Auto Routing Filter Table............. 3-28 Table 3.10 The Settings for Auto Routing Example 1: Policies............................. 3-30 Table 3.11 The Settings for Auto Routing Example 1: Filters................................ 3-31 Table 3.12 The Settings for Auto Routing Example 2: Policies............................. 3-32 Table 3.13 The Settings for Auto Routing Example 2: Filters................................ 3-34 Table 3.14 WAN link information of Auto Routing Example 3 ............................... 3-35 Table 3.15 Auto RoutingTunnel Routing Log Setting (San Jose Headquarters) 3-36 Table 3.16 Auto Routing: Tunnel Group Setting (San Jose Headquarters) .......... 3-36 Table 3.17 Auto Routing: Routing Rules Setting (San Jose Headquarters) ......... 3-36 Table 3.18 Auto Routing:Auto Routing Policies Setting (San Jose HQs)............. 3-36 Table 3.19 Auto Routing:Auto Routing Filters Setting (San Jose Headquarters) . 3-36 Table 3.20 Auto Routing:Tunnel Routing Log Setting (Shanghai Office) 3-37 Table 3.21 Auto Routing Example: Tunnel Group Setting (Shanghai Office)........ 3-37 Table 3.22 Auto Routing Example: Routing Rules Setting (Shanghai Office)....... 3-38 Table 3.23 Auto Routing:Auto Routing Policies Setting (Shanghai Office) 3- 38 Table 3.24 Auto Routing:Auto Routing Filters Setting (Shanghai Office).............. 3-38 Table 3.25 The Description of the Fields on Vitual Server Page........................... 3-42 Table 3.26 The Settings for Virtual Server Example 1 .......................................... 3-44 Table 3.27 The Settings for Virtual Server Example 2 .......................................... 3-46 Table 3.28 The Description of the Fields in the Inbound BM Class Table............. 3-49 Table 3.29 The Description of the Fields in the Inbount BM Filter Table............... 3-50 Table 3.30 The Settings for Inbound BM Example 1: Classes.............................. 3-52 Table 3.31 The Settings for Inbound BM Example 1: Filters................................. 3-52 Table 3.32 The Settings for Inbound BM Example 2: Classes.............................. 3-54 Table 3.33 The Settings for Inbound BM Example 2: Filters................................. 3-55 Table 3.34 The Description of the Fields in the Outbound BM Class Table.......... 3-57 AscenLink
User Manual 3-5 Table 3.35 The Description of the Fields in the Outbound BM Filter Table ........... 3-59 Table 3.36 The Settings for Outbound BM Example 1: Classes............................ 3-60 Table 3.37 The Settings for Outbound BM Example 1: Filters............................... 3-60 Table 3.38 The Settings for Outbound BM Example 2: Classes............................ 3-62 Table 3.39 The Settings for Outbound BM Example 2: Filters............................... 3-62 Table 3.40 The Settings of Connection Limit Log Interval ..................................... 3-64 Table 3.41 The Settings of Connection Limit Rules............................................... 3-65 Table 3.42 The Description of the Fields in Cache Group..................................... 3-67 Table 3.43 The Description of the Fields in Redirect Rules................................... 3-68 Table 3.44 Description of Tunnel Route Log and Local Host ID............................ 3-73 Table 3.45 The Description of the Fields in Tunnel Group..................................... 3-75 Table 3.46 The Description of the Fields in Routing Rules.................................... 3-75 Table 3.47 The Description of the Fields in Persistent Rules ................................ 3-76 Table 3.48 The Description of the Fields in Benchmark ........................................ 3-77 Table 3.49 The Description of the Testing Page....................................................3-77 Table 3.50 Example of Tunnel Routing.................................................................. 3-78 Table 3.51 The Settings for Tunnel Routing Example 1: Tunnel Groups............... 3-78 Table 3.52 The Settings for Tunnel Routing Example 1 : Routing Rules............... 3-79 Table 3.53 The Settings for Tunnel Routing Example 2 : Tunnel Group ............... 3-79 Table 3.54 The Settings for Tunnel Routing Example 2 : Routing Rules............... 3-79 Table 3.55 The Settings for Tunnel Routing Example 3 : Tunnel Group ............... 3-80 Table 3.56 The Settings for Tunnel Routing Example 3 : Routing Rules............... 3-80 Table 3.57 The Settings for Tunnel Routing Example : Inbound BM Filter............ 3-81 Table 3.58 The Settings for Tunnel Routing Example : Outbound BM Filter ......... 3-81 Table 3.59 TR Example 2: WAN LinkIinformation.................................................. 3-82 Table 3.60 TR Example 2: Settings of Log and Local Host ID (Beijing) ................ 3-83 Table 3.61 TR Example 2: Tunnel Group Settings in Beijing Headquarters.......... 3-83 Table 3.62 TR Example 2: Routing Rules in Beijing Headquarters....................... 3-83 Table 3.63 TR Example 2: Settings of Log and Local Host ID (Shanghai)............ 3-83 Table 3.64 TR Example 2: Tunnel Group Settings in Shanghai Office.................. 3-84 Table 3.65 TR Example 2: Routing Rules in Shanghai Office ............................... 3-84 Table 3.66 TR Example 3: WAN Link Information ................................................. 3-85 Table 3.67 TR Example 3: Settings of Log and Local Host ID (San Jose) ............ 3-86 Table 3.68 TR Example 3: Tunnel Group Settings in San Jose Headquarters...... 3-86 Table 3.69 TR Example 3: Routing Rules in San Jose Headquarters................... 3-87 Chapter 3 Service 3-6 Table 3.70 TR Example 3: Settings of Log and Local Host ID (Beijing)................ 3-87 Table 3.71 TR Example 3: Tunnel Group Settings in Beijing Branch Office ......... 3-87 Table 3.72 TR Example 3: Routing Rules in Beijing Branch Office....................... 3-87 Table 3.73 TR Example 3: Settings of Log and Local Host ID (Hong Kong) ........ 3-88 Table 3.74 TR Example 3: Tunnel Group Settings in Hong Kong Branch Office.. 3-88 Table 3.75 TR Example 3: Routing Rules in Hong Kong Branch Office ............... 3-88 Table 3.76 TR Example 4: WAN Link Information................................................. 3-90 Table 3.77 TR Example 4: Settings of Log and Local Host ID (San Jose) ........... 3-90 Table 3.78 TR Example 4: Tunnel Group Settings in San Jose Headquarters..... 3-90 Table 3.79 TR Example 4: Routing Rules in San Jose Headquarters .................. 3-91 Table 3.80 TR Example 4: Auto Routing policies in San Jose Headquarters ....... 3-91 Table 3.81 TR Example 4: Auto Routing Filters in San Jose Headquarters ......... 3-91 Table 3.82 TR Example 4: Settings of Log and Local Host ID (Beijing)................ 3-91 Table 3.83 TR Example 4: Tunnel Group Settings in Beijing Branch Office ......... 3-92 Table 3.84 TR Example 4: Routing Rules in Beijing Branch Office....................... 3-92 Table 3.85 TR Example 4: Settings of Log and Local Host ID (Hong Kong) ........ 3-92 Table 3.86 TR Example 4: Tunnel Group Settings in Hong Kong Branch Office.. 3-93 Table 3.87 TR Example 4: Routing Rules in Hong Kong Branch Office ............... 3-93 Table 3.88 TR Example 4: Auto Routing policies in Hong Kong Branch Office .... 3-93 Table 3.89 TR Example 4: Auto Routing Filters in Hong Kong Branch Office....... 3-93 Table 3.90 The Description of the Fields in Multihoming Global Setting............... 3-97 Table 3.91 The Description of the Fields in Multihoming Policy............................ 3-99 Table 3.92 The Description of the Fields in Domain Setting ............................... 3-100 Table 3.93 The Description of the Fields in Enable Relay .................................. 3-101 Table 3.94 Multihoming Example 1: Virtual Server Settings ............................... 3-102 Table 3.95 Multihoming Example 1: Policy Settings............................................ 3-103 Table 3.96 Multihoming Example 1: Domain Settings......................................... 3-103 Table 3.97 Multihoming Example 2: Virtual Server Settings ............................... 3-105 Table 3.98 Multihoming Example 2: Policy Settings............................................ 3-105 Table 3.99 Multihoming Example 2: Domain Settings......................................... 3-105 Table 3.100 The Description of the Fields in Global Setting ................................. 3-107 Table 3.101 The Description of the Fields in Domain Setting ............................... 3-108 Table 3.102 The Description of the Fields in SNMP V1/2 ..................................... 3-109 Table 3.103 The Description of the Fields in SNMP V3 .........................................3-110 Table 3.104 The Description of the Fields in IP-MAC MAPPING........................... 3-111 AscenLink
User Manual 3-7 Chapter 3 Service This chapter explains services on AscenLink. These services help users manage network more efficiently and effectively. In Figure 3.1, users will find a list of functions of AscenLink. These services are significant in regular network administration. Firewall prevents network from hacker/network attacks. It also improves network security by filtering out unwanted services. Routing policies maximizes the utilization of network resources and assign routing paths accordingly based on the status of the network. Bandwidth management is another feature that users can set up to manage the traffic limit for a given TCP/UDP service (e.g. HTTP, FTP). This feature helps users allocate available bandwidth for each type of service and maximize the efficiency of network. Multihoming provides a safeguard against the failure in WAN links. Requests to the internal servers (e.g. WWW server) will be dispatched evenly on every live WAN link. If one of them fails, the internal servers can still be reached via other live links. Chapter 3 Service 3-8
Figure 3.1 The Location of Service on the Menu Bar AscenLink
User Manual 3-9 3.1 Firewall This section introduces how to setup the firewall. Because setting the firewall can be a complex job for the first-time user, we have included a table to explain the meaning of every field that appears on the screen to get users familiarized with the user interface as quickly as possible. In addition, we also give examples on how to apply those features to real scenarios when necessary.
Figure 3.2 The Location of Service/Firewall on the Menu Bar Users can add as many rules as users like in the list. Users can enable or disable each rule individually. The rules are matched from top to down, that is, the rules listed at the top of the list are given higher precedence. Chapter 3 Service 3-10 Field Value Description E Enable (checked) Disable (unchecked) When the box is checked, the rule will be applied, on the contrary, it will be disabled if the box is unchecked. When Busy Idle All-Time There are three options available: Busy hour, Idle hour, and All-Time. Please refer to Chapter 2 [System]->[Date/Time] for setting up the definition of busy or idle hours. Source
IP Address
IP Range
Subnet
WAN
LAN
DMZ Tunnel Any Address
FQDN
< IP Grouping Name> Packets sent from the specified source will be matched: - IP Address: match packets from a single IP address. e.g. 192.168.1.4 - IP Range: match packets from a continuous range of IP addresses. e.g. 192.168.1.10-192.168.1.20 - Subnet: match packets that come from a subnet. e.g.: 192.168.1.0/255.255.255.0 - WAN: match all packets that come from the WAN. - LAN: match all packets that come from the LAN. - DMZ: match all packets that come from DMZ. - Tunnel: match all packets from any tunnel - Any Address: match all packets regardless of its source. - FQDN: match connections established from FQDN Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Destination
IP Address IP Range Subnet WAN LAN DMZ Localhost Any address FQDN < IP Grouping Name> Packets sent to specified destination will be matched. This field is the same as the Source field, except it matches packets with specified destination. Likewise, All IP groups setup in [System]->[IP Grouping] will be shown here.
Service FTP21 SSH (22) TELNET(23) SMTP(25) DNS(53) HTTP80 POP3(110) H323 (1720) ICMP TCP@ UDP@ The TCP/UDP service type to be matched. Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in TCP/UDP packets. To specify a range of port numbers, type the starting port number plus hyphen - and then the ending port number. e.g. TCP@123-234. AscenLink
User Manual 3-11 Any MSN QQ Edonkey BitTorrent < Service Grouping Name> Action Accept Deny What actions to take when the rule is matched: Accept: The firewall will let the matched packets pass through. Deny: The firewall will drop all the matched packets. L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. Table 3.1 The Description of the Fields on Firewall Page Note: By default, all firewall services will pass all packets through. Example 1: AscenLink Firewall Network Architecture:
Chapter 3 Service 3-12 Figure 3.3 Network Architecture for Firewall Service Rules for Filtering Packets: The users from the Internet (WAN) can only access FTP Server 211.21.48.195 through port 21. The users from LAN can access all servers and hosts on the Internet (WAN) through port 25 (SMTP), port 80 (HTTP), port 21 (FTP), and port 110 (POP3). All the rest packets are banned. The rules table for this example will look like this: Source Destination Service Action WAN 211.21.48.195 FTP (21) Accept WAN DMZ Any Deny LAN WAN HTTP (80) Accept LAN WAN SMTP (25) Accept LAN WAN FTP (21) Accept LAN WAN POP3 (110) Accept LAN WAN Any Deny Table 3.2 Firewall Settings of Example 1 Example 2: AscenLink Firewall Network Architecture: AscenLink
User Manual 3-13
Figure 3.4 Network Architecture for Firewall Service 2 Rules for Filtering Packets: The users from the Internet can access DMZ Server 211.21.48.195 in DMZ through TCP port 7000. The hosts 192.168.0.100-192.168.0.150 in the LAN can access to the Internet (WAN) but the rest cannot. Users from the Internet (WAN) cannot connect to the port 443 on AscenLink (i.e. Web Administration on AscenLink). Note: Localhost represents the addresss of AscenLink host machine. Users from the LAN can access FTP server 192.168.10.1 through port 21. Users from the Internet cannot send ping messages to AscenLink . Note: Chapter 3 Service 3-14 To intercept ping messages, users can deny ICMP protocol in service type because ping is a type of ICMP. Users from the LAN cannot access DMZ. Users from the Internet (WAN) cannot accessLAN and DMZ. The rules table for this example will look like this: Source Destination Service Action WAN 211.21.48.195 TCP@7000 Accept 192.168.0.100-192.168.0.150 WAN Any Accept AN Localhost TCP@443 Deny LAN 192.192.10.1 FTP (21) Accept WAN Localhost ICMP Deny LAN DMZ Any Deny WAN DMZ Any Deny WAN LAN Any Deny Table 3.3 Firewall Settings Example 2 AscenLink
User Manual 3-15 3.2 NAT AscenLink is an edge server normally located on the boundary between the Intranet (LAN) and the Internet (WAN). When a connection is established from a private IP address (in LAN or DMZ) to the Internet (WAN), it is necessary to translate the private IP address into one of the public IP addresses assigned to AscenLink. This process is called NAT (Network Address Translation). NAT configuration in AscenLink achieves the flexibility of setting up NAT rules. By default, NAT service will translate any private IP address to a fixed public IP address assigned to a given WAN link. Please keep in mind that rules are matched in order. The NAT rules placed at the top of the table are matched first. No-NAT is especially used for Private Network and MPLS network so that the host in WAN can directly access to the host in DMZ. Then AscenLink can be used for VPN load balancing and line backup.
Figure 3.5 The Location of Service /NAT on the Menu Bar Chapter 3 Service 3-16 Field Value Description Enable NAT Enable the function, NAT service will translate any private IP address to a fixed public IP address assigned to a given WAN link. If not, AscenLink will be a general router so that the host in WAN can directly access to the host in DMZ. WAN The WAN link users want the NAT rules to apply. Check the box to enable NAT rules over this WAN link. NAT Rules customized rules for NAT L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. When Busy Idle All-time The predefined time periods in which the rules will apply. Possible options are Busy/Idle/All-Times. The time period of Busy/Idle hours can be defined under [System]->[Busyhour Setting]. Please refer to Chapter 2. Source IP Address IP Range Any Address <IP Grouping Name> The packets sent from the source will be matched: - IP Address: all packets from this IP address - IP Range: all packets from a continuous range of IP addresses. - Any Address: all packets no matter where it comes from. Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Note: The source IP to be translated must be the IP address assigned to the LAN or DMZ. Service FTP (21), etc <Service Grouping Name> The packets with the service port number which users would like a NAT rule to apply. It can be the TCP or UDP port, or ICMP. Users may also like to use predefined service groups from [System]->[Service Grouping]. Please refer to Chapter 2 for how to set up own service groups. The predefined service groups are available in the list, too. Translated IP Address IP Range
The public IP address, or a range of public IP addresses users would like the private addresses to be translated to. Table 3.4 The Description of the Fields on the NAT Page AscenLink
User Manual 3-17 Enable NAT: Example: If users want all packets sent from the local machine 192.168.123.100 to be translated to the public IP address 172.31.5.51, click the box in front of Enable NAT, select WAN Link #1, and check E. The following NAT rules settings will look like this:
Figure 3.6 The Settings of NAT Rules Disable NAT: If NAT is disabled, AscenLink will be of No-NAT mode. Then all the host from WAN can directly access to the host in DMZ. If so, AscenLink is equal to a router connecting different subnets.
Figure 3.7 NAT Setting Note: If NAT is not enabled, all WAN Links will disable NAT either. Example: No-NAT Setting Network Architecture: Chapter 3 Service 3-18
Figure 3.8 Network Architecture for No-NAT From the above figure we can see that No-NAT is especially used for Private Network and MPLS network, which makes it possible for the host of the branch office to directly access to the headquarters. If ISP 1 is broken down, AscenLink will automatically route the link to ISP 2. Moreover, AscenLink can also serve as the load balancer for VPN according to the condition of each link. AscenLink
User Manual 3-19 3.3 Persistent Routing When an Intranet host first establishes connections to the Internet through AscenLink, the device will decide which WAN link the connections should use. This is done by looking up the rules in the auto-routing table introduced in the section 3.4. After the route to Internet is determined, AscenLink will apply the persistent routing rules to subsequent connections from the same source and destination, keeping all subsequent connections flowing through the same WAN link. Persistent routing is particularly useful when the user visits a website through secure connections because a secure server wont accept connections from different source IP addresses during a certified session.
Figure 3.9 The Location of Service /Persistent Routing on the Menu Bar Chapter 3 Service 3-20 Field Value Description Timeout <second> If there is no connection for this timeout period, the next coming connection will be routed by the auto-routing rules. E Enable (checked) Disable (unchecked) When the box is checked, the rule will be applied, on the contrary, it will be disabled if the box is unchecked. When Busy Idle All-Time There are three options available: Busy hour, Idle hour, and All-Time. Please refer to Chapter 2 [System]->[Busyhour Setting] for setting up the definition of busy or idle hours. Source IP Address IP Range Subnet LAN DMZ Localhost Any Address FQDN < IP Grouping Name> Connections established from the specified source will be matched: - IP Address: match connections established from a single IP address. e.g.: 192.168.1.4 - IP Range: match connections established from a continuous range of IP addresses. e.g.: 192.168.1.10-192.168.1.20 - Subnet: match connections that come from a subnet. e.g.:192.168.1.0/255.255.255.0 - LAN: match connections established from the LAN - DMZ : match connections established from DMZ. - Localhost: match connections established from AscenLink. - Any Address: match all connections regardless of its source. - FQDN: match connections established from FQDN Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups.
Destination IP Address IP Range Subnet WAN FQDN <IP Grouping Name> Connections to the specified destination will be matched. This field is the same as the Source field, except it matches packets with the specified destination. - IP address: match connections to a single IP address. e.g.: 211.21.33.88 - IP Range: match connections to a continuous range of IP addresses. - Subnet: match connections to the IPs in a subnet. - WAN: match connections to the WAN. - FQDN: match connections established from FQDN Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Action
Do PR No PR Do PR: the matched connections will be routed persistently. AscenLink
User Manual 3-21 No PR: the matched connections will NOT be routed persistently. L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. Table 3.5 The Description of the Fields on the Persistent Routing Page Persistent routing is necessary in situations when the destination servers always check the IP address of the source. Most of the secure connections such as HTTPS and SSH will do so. To prevent the connections from being dispatched on different WAN links based on the auto-routing rules, persistent routing is a remedy for keeping connections with a fixed WAN link. It is essential to understand the relationship between auto-routing rules and persistent routing rules. The sequence of routing policy is listed as follows: When a connection is first established, AscenLink
will determine which WAN link to use for the connection. This is done by looking up the rules in the auto-routing table. Subsequent connections with the same destination and source pair will obey the rules formulated in the persistent routing table. Please note that a connection to a different destination will result in looking up the rules in the auto-routing table again and will be not considered as a subsequent connection to the previous one. There is a timeout for persistent routing. If the interval between two successive connections is longer than timeout period, the second connection is considered as a new connection. Therefore, auto-routing service will be activiated again, which may cause the connection establishment through a different WAN link. Example 1: Simple Persistent Routing Network Architecture: Chapter 3 Service 3-22
Figure 3.10 Network Architecture for Persistent Routing 1 The persistent routing policies we want to establish: In the LAN, we want the connection from IP address 192.168.0.100 to 192.168.10.100 NOT to be routed persistently. All the connections from DMZ to LAN are NOT routed persistently. All the connections established from LAN to the host IP ranging from 10.10.1.1 ~ 10.10.1.10 are NOT routed persistently. Since the default value is Do PR, if users dont add any rules, all connections will use persistent routing. The settings for the above scenario will look like this in the persistent routing table: Source Destination Action 192.168.0.100 192.192.10.100 No PR DMZ WAN No PR LAN 10.10.1.1-10.10.1.10 No PR AscenLink
User Manual 3-23 Table 3.6 The Settings for Persistent Routing Example 1 Example 2: Advanced Persistent Routing Network Architecture:
Figure 3.11 Network Architecture for Persistent Routing 2 The persistent routing policies we want to establish: All the connections from the hosts in the LAN, with IP addresses ranging from 192.168.0.10~192.168.0.20 are NOT routed persistently, except the host with IP address 192.168.0.15. All the connections from the sub-network IPs 192.168.10.0/24 to the IP 192.192.10.100 are NOT routed persistently. All the connections established from the IP 211.21.48.196 to the sub-network 10.10.1.0/24 on the WAN are NOT routed persistently. Chapter 3 Service 3-24 Since the default value is Do PR, if users dont add any rules, all connections will use persistent routing. The settings for the above scenario will look like this in the persistent routing table: Source Destination Action 192.168.0.15 WAN Do PR 192.168.0.10-192.168.0.20 WAN No PR 192.168.10.0/255.255.255.0 192.192.10.100 No PR 211.21.48.196 10.10.1.0/255.255.255.0 No PR Table 3.7 The Settings for Persistent Routing Example 2 Note: All rules are matched from top to bottom. Once a rule is matched, the rest will be ignored. In this case, even though the connections from 192.168.0.15 meet the conditions specified in the first and the second rule, only the first rule is applied. A useful tip is to always place more specific rules on top of the less specific rules. AscenLink
User Manual 3-25 3.4 Auto Routing Auto Routing service allows administrators to specify how traffic is routed to WAN links. If users have only one WAN link, users do not need to consider Auto Routing. If users have multiple WAN links, however, users may setup routing rules in many situations. For example, an administrator can reserve a WAN link to a group of private IP addresses, or an administrator can force an application to take a particular WAN link depending on the traffic loads in each WAN link.
Figure 3.12 The Location of Service /Auto Routing on the Menu Bar Auto Routing is composed of two parts. The first part involves the design of routing policies, and the second part is to set up filters which will activate their corresponding policies. The internal working mechanism of Auto Routing is to look up the filter table and monitor if the connection to be established matches any filter in the table. If the connection matches the conditions specified in the filter, the routing policy assigned to that filter will decide which WAN link the Chapter 3 Service 3-26 connection should take. Thus, when users want to set up own routing rules, the first step is to design the routing policies. Routing policies define the routing algorithm and a selection of WAN links to which the algorithm will apply. Users can give each routing policy a name so that users are able to assign them to the filter later on. The second step is to add own filters which will determine the routing policy to use when a type of connection is matched. Just like all other services, the filters are matched from top to bottom. The filters appearing at the top of the table are given higher precedence. Field Value Description Label < name for the Policy> The label for this auto routing policy. This label will be displayed in the filter table when users choose the routing policy. Algorithm Fixed Round-Robin By Connection By Upstream Traffic By Downstream Traffic By Total Traffic By Optimum Route Algorithm for Auto Routing: - Fixed: only route the connections on a fixed WAN link. - By Round-Robin: route the connections on every WAN link by weight. - By Connection: compares the number of connections on each WAN link and routes data based on the specified connection ratio in WAN - By Downstream Traffic: always route the connections on the WAN link that has the lightest downstream traffic. - By Upstream Traffic: always route the connections on the WAN link that has the lightest upstream traffic. - By Total Traffic: always route the connection on the WAN link that has the lightest total traffic. - By Optimum Route: Always route the connections on the best WAN link according to the evaluation of Optimum Route Detection. Parameter <Select WAN link(s) for the algorithm, or put a weight on each WAN link>
The type of parameter depends on the algorithm users choose. For Fixed, By Upstream traffic, By Downstream traffic, and By Total Traffic algorithm, users can select WAN links to which the algorithm will apply. For Round-Robin algorithm, users give a weight on each WAN link.
Here is an example: In the policy table below, we see the first four policies use the Fixed algorithm (see the figure below). The number represents the number of the WAN link. Users can checked the box under the number, telling AscenLink to apply the algorithm to this WAN link. AscenLink
User Manual 3-27 The fifth policy uses Round-Robin algorithm, with weight 1 on WAN1, weight 1 on WAN2, and weight 3 on WAN3. It means if there are five connections to be established, the first one will be established through WAN1, the second one will be established through WAN2, and the last three will be established through WAN3.
Table 3.8 The Description of the Fields in the Auto Routing Policy Table Field Value Description E Enable (checked) Disable (unchecked) When the box is checked, the rule will be applied, on the contrary, it will be disabled if the box is unchecked. When Busy Idle All-Time There are there options available: Busy hour, idle hour, and All-times. Please refer to Chapter 2 [System]->[Busyhour Setting] for setting up the definition of busy or idle hours. Source IP Address IP Range Subnet LAN DMZ Localhost Any Address FQDN <IP Grouping Name> Connections established from the specified source will be matched: - IP Address: match connections established from a single IP address. e.g.: 192.168.1.4 - IP Range: match connections established from a continuous range of IP addresses. e.g.: 192.168.1.10-192.168.1.20 - Subnet: match connections that come from a subnet. e.g.: 192.168.1.0/255.255.255.0 - LAN: match connections established from the LAN - DMZ : match connections established from DMZ. - Localhost: match connections established from AscenLink. - Any Address: match all connections regardless of its source. - FQDN: match connections established from FQDN. Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Destination
IP Address IP Range Subnet WAN Connections to the specified destination will be matched. This field is the same as the Source field, except it matches packets with the specified destination. Chapter 3 Service 3-28 FQDN <IP Grouping Name>
- IP Address: match connections to a single IP address. e.g.: 211.21.33.88 - IP Range: match connections to a continuous range of IP addresses. - Subnet: match connections to the IPs in a subnet. - WAN: match connections to the WAN. - FQDN: match connections established from FQDN. Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Service FTP(21) SSH(22) TELNET(23) SMTP(25) DNS(53) HTTP(80) POP3(110) H323(1720) ICMP TCP@ UDP@ Any The TCP/UDP service type to be matched. Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in TCP/UDP packets. To specify a range of port numbers, type the starting port number plus hyphen - and the ending port number. e.g.: TCP@123-234 Routing Policy
<Select a policy from policy table> The routing policy which determines how the connections are routed. The policies shown here are the policies defined in policy table. Fail-over Policy < Select a policy from policy table> When all the WAN links associated with the routing policy fail, this fail-over routing policy will take over. The policies shown here are the policies defined in policy table. L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. Table 3.9 The Description of the Fields in the Auto Routing Filter Table Example 1: Simple Auto Routing Network Architecture: AscenLink
User Manual 3-29
Figure 3.13 Network Architecture for Auto Routing 1 Setting up auto routing policies to meet the following needs: A policy that always route connections on WAN #1, which is an ADSL WAN link with 512k downstream / 512k upstream. A policy that always routes connections on WAN #2, which is an ADSL WAN link with 1.5M downstream / 384k upstream. Route connections by Optimum Route, choosing the better one from WAN1 and WAN2. Route connections depending on the current downstream traffic on each WAN links. Chapter 3 Service 3-30 Route connections depending on the total traffic on each WAN links. policy table will look like this: Label Algorithm Parameter WAN1 (512/512) Fixed Check WAN #1 WAN2 (1536/384) Fixed Check WAN #2 by Optimum Route by Optimum Route Check both WAN #1 and WAN #2 by Downstream By Downstream traffic Check both WAN #1 and WAN #2 by Total By Total traffic Check both WAN #1 and WAN #2 Table 3.10 The Settings for Auto Routing Example 1: Policies Note: Labelling the first policy with the bandwidth of the WAN link (512/512) does not mean anything, it is just to make policy name self-explanatory. The same applies to the second policy. If users want to set up the bandwidth of WAN links, please adjust settings on the [System] -> [Network Setting] page. Defining filters to meet the following needs: When the users from LAN access the web server on the Internet, we want to use policy By Optimum Route to route the connections to the better link. When the users from LAN access the FTP server on the Internet, we want to use policy WAN1(512/512) to route the connections. If WAN #1 fails, we want the connections to be routed By Optimum Route. Note: In this situation, By Optimum Route will only route the connections through WAN #2 because WAN #1 has already failed. The connections established from 211.21.48.195 in DMZ to any smtp server on the Internet will be routed by the policy WAN1 (512/512). If WAN #1 fails, they will be routed by the policy WAN2 (1536/384). The connections established from 211.21.48.195 in DMZ to any POP3 server on the Internet will be routed by the policy WAN1 (512/512). If WAN #1 fails, no action will be taken. Note: When WAN #1 disconnects, connection to the external POP server will also fail. AscenLink
User Manual 3-31 filter table will look like this: Source Destination Service Routing Policy Fail-Over Policy LAN WAN HTTP(80) By Optimum Route No Action LAN WAN FTP(21) WAN1(512/512) Round-Robin 1:1 211.21.48.195 WAN SMTP(25) WAN1(512/512) WAN2 (1536/384) 211.21.48.195 WAN POP3(110) WAN1(512/512) No Action Table 3.11 The Settings for Auto Routing Example 1: Filters Example 2: Auto Routing Network Architecture: ClientSide ISP1 Internet 192.168.0.0/24 211.21.48.195 ISP2 FTPserver 210.10.10.11 60.200.10.1-60.200.10.20 192.192.0.0/24 211.21.48.196 192.168.10.0/24 192.168.0.100 ISP3
Figure 3.14 Network Architecture for Auto Routing 2 Chapter 3 Service 3-32 Setting up auto routing policies to meet the following needs: A policy that always route connections through WAN #1 (fixed algorithm). A policy that always route connections through WAN #2 (fixed algorithm). A policy that always route connections through WAN #3 (fixed algorithm). A policy to route connections evenly through WAN #1, WAN #2, and WAN #3 using Round-Robin algorithm. A policy to route connections through WAN #1, WAN #2, and WAN #3 using Round-Robin algorithm with weight ratio WAN #1 : WAN #2 : WAN #3 = 1:2:3. Be aware that if there are six connections to be established, the first connection will be routed through WAN #1, the second and third will be routed through WAN #2, and the last three will be routed through WAN #3. A policy to route connections through WAN #1 and WAN #2 depending on the bandwidth left in the downstream traffic over each WAN link. A policy to route connections through WAN #2 and WAN #3 depending on the bandwidth left in the total traffic over each WAN link. Label Algorithm Parameter WAN1 Fixed Check WAN #1 WAN2 Fixed Check WAN #2 WAN3 Fixed Check WAN #3 Round-Robin1:1:1 Round-Robin Enter 1 for WAN #1, WAN #2, and WAN #3. Round-Robin1:2:3 Round-Robin Enter 1 for WAN #1, 2 for WAN #2, and 3 for WAN #3. by Downstream By Downstream Check both WAN #1 and WAN #2. by Total By Total Traffic Check both WAN #2 and WAN #3. Table 3.12 The Settings for Auto Routing Example 2: Policies Defining filters to meet the following needs: The connections established from 192.168.0.100 to FTP server at 210.10.10.11 are routed by the policy WAN3. If WAN #3 fails, they will be routed by the policy by Downstream. The connections established from the sub-network 192.168.10.0/24 to web servers on the Internet are routed by the policy Round-Robin1:1:1. AscenLink
User Manual 3-33 The connections established from 192.168.0.100~192.168.0.200 to the sub-network 192.192.0.0/24 on TCP port 8000 are routed by the policy WAN2. If WAN #2 fails, they are routed by the policy WAN3. The connections from the LAN to the Internet are routed by the policy by Downstream. If both WAN #1 and WAN #2 fail, they will be routed by the policy WAN3. The connections established from 211.21.48.196 to FTP server at 210.10.10.11 are routed by the policy Round-Robin1:2:3. The connections established from 211.21.48.195 to any SMTP server on the Internet are routed by the policy WAN3. If WAN #3 fails, they are routed by the policy WAN3. Note: In this case, the host at 211.21.48.195 will not be able to establish connections to any SMTP server on the Internet when WAN #3 fails, even though users still have other live WAN links. Therefore, users must use the fail-over policy very carefully. The connections established from DMZ to the Internet are routed by the policy by Downstream. If both WAN #1 and WAN #2 fail, they will be routed by the policy by Total. Note: Only if both WAN #1 and WAN #2 fail, the fail-over policy will take over. However, in this case, if both of them fail, they are routed through WAN #3 because WAN #1 and WAN #2 are already dead. The connections established from an arbitrary host to the hosts 60.200.10.1~60.200.10.10 will be routed by the policy WAN2. If WAN #2 fails, they will be routed by WAN1. The connections established from an arbitrary host to any host on the Internet will be routed by the policy by Downstream. filter table will look like this: Source Destination Service Routing Policies Fail-Over Policies 192.168.0.100 210.10.10.11 FTP(21) WAN3 By Downstream 192.168.10.0/ WAN HTTP(80) Round-Robin No Action Chapter 3 Service 3-34 255.255.255.0 1:1:1 192.168.0.100- 192.168.0.200 192.192.0.0/ 255.255.255.0 TCP@8000 WAN2 WAN3 LAN WAN Any By Downstream WAN3 211.21.48.196 210.10.10.11 FTP(21) Round-Robin 1:2:3 No Action 211.21.48.195 WAN SMTP(25) WAN3 WAN3 DMZ WAN Any By Downstream by Total Any 60.200.10.1- 60.200.10.10 Any WAN2 WAN1 Any WAN Any By Downstream No Action Table 3.13 The Settings for Auto Routing Example 2: Filters Example 3: TR as ARs backup A firm is headquartered in San Jose and has a branch office in Shanghai. Each office uses a public WAN link to access to the Internet, and an Intranet is established to transfer internal materials between the two offices. If the WAN link in Shanghai office is failed, a backup VPN tunnel between the headquarters in San Jose and the branch office in Shanghai will be activated to ensure uninterrupted communication. Network Architechture: AscenLink
User Manual 3-35
Figure 3.15 Network Architecture for Auto Routing Example 3 WAN link deployment details are:
San Jose Shanghai WAN 2 2.2.2.2 WAN 3 3.3.3.3 WAN 4 4.4.4.4 WAN 5 5.5.5.5 LAN 192.168.1.0/24 192.168.2.0/24 Table 3.14 WAN link information of Auto Routing Example 3 The settings for the headquarters in San Jose is as follows: Settings in Tunnel Routing page are:
Chapter 3 Service 3-36 Tunnel Routing Log setting: Tunnel Route Log Enabled Localhost ID San Jose Table 3.15 Auto Routing Example 3: Tunnel Routing Log Setting (San Jose Headquarters) Tunnel Group Setting: + Group Name Remote Host ID Tunnels + - San Jose to Shanghai Shanghai + Local IP Remote IP Weigh t + - 3.3.3.3 2.2.2.2 1
Table 3.16 Auto Routing Example 3: Tunnel Group Setting (San Jose Headquarters) Routing Rules Setting: + Source Destination Use Group Fail-Over + - Any Address 192.168.2.0/255.255.255.0 San Jose to Shanghai No-ACTION Table 3.17 Auto Routing Example 3: Routing Rules Setting (San Jose Headquarters) Settings in Auto Routing page are: Policies Label Algorithm Parameter WAN4 Fixed Tick WAN link number 4 Default Policy By Downstream Traffic Tick all available WAN links Table 3.18 Auto Routing Example 3:Auto Routing Policies Setting (San Jose Headquarters) Filters Source Destination Service Routing Policy Fail-Over Policy Tunnel WAN ANY WAN4 Default Policy Any Address WAN ANY Default Policy No-ACTION Table 3.19 Auto Routing Example 3:Auto Routing Filters Setting (San Jose Headquarters) AscenLink
User Manual 3-37 The settings for Shanghai branch office is as follows: Settings in Tunnel Routing page are: Tunnel Routing Log setting: Tunnel Route Log Enabled Localhost ID Shanghai Table 3.20 Auto Routing Example 3: Tunnel Routing Log Setting (Shanghai Office) Tunnel Group Setting: + Group Name Remote Host ID Tunnels + - Shanghai to San Jose San Jose + Local IP Remote IP Weight + - 2.2.2.2 3.3.3.3 1
Table 3.21 Auto Routing Example 3: Tunnel Group Setting (Shanghai Office) Chapter 3 Service 3-38 Routing Rules Setting: + Source Destination Use Group Fail-Over + - Any Address 192.168.1.0/255.255.255.0 Shanghai to San Jose No-ACTION Table 3.22 Auto Routing Example 3: Routing Rules Setting (Shanghai Office) Settings in Auto Routing page are: Policies Label Algorithm Parameter WAN5 Fixed Tick WAN link number 5 Default Policy By Downstream Traffic Tick all available WAN links Table 3.23 Auto Routing Example 3:Auto Routing Policies Setting (Shanghai Office) Filters Source Destination Service Routing Policy Fail-Over Policy Any Address WAN Any WAN5 Tunnel: Shanghai to San Jose Any Address WAN Any Default Policy No-ACTION Table 3.24 Auto Routing Example 3:Auto Routing Filters Setting (Shanghai Office) AscenLink
User Manual 3-39 3.5 Virtual Server Virtual Server is a feature to make the intranet (LAN) servers available to the Internet (WAN). The private IP addresses assigned to the intranet servers are invisible to the external environment. If users wish to make these services (provided on the servers) accessible to outsiders, users must use AscenLink to redirect these external requests to the right servers in the LAN or DMZ. Whenever an external request arrives at AscenLink, the device
will look up the Virtual Server table and redirect the packet right to the corresponding server in the LAN or DMZ. Same as before, the service mapping in the virtual server table is matched from top to bottom. If users accidentally set up two or more mappings with the same WAN IP and service type, only the early configured one matched is effective. The rest with the same WAN IP and service are ignored. In addition, AscenLinks Virtual Server function also allows the user to perform load balancing on multiple servers, which is to distribute traffic over a group of servers (server cluster) to achieve highly accessible and fast web services. AscenLink directs the incoming requests to particular servers in the server cluster according to the preset weight on each server. Meanwhile, AscenLink can achieve real-time monitor to the status of each server to ensure all incoming requests are directed to the health servers. Chapter 3 Service 3-40
Figure 3.16 The Location of Service/Virtual Server on the Menu Bar AscenLink
User Manual 3-41 Virtual Server : Field Value Description E Enable (checked) Disable (unchecked) When the box is checked, the rule will be applied; on the contrary, it will be disabled if the box is unchecked. When Busy Idle All-Time There are there options available: Busy hour, Idle hour, and All-Time. Please refer to Chapter 2 [System]->[ Busyhour Setting] for setting up the definition of busy or idle hours. WAN IP <WAN IP> To the users from the Internet, your virtual server is visible as a public IP on the WAN port. This WAN IP is the "visible" IP for your virtual server in the external environment (Internet). Select a public IP. Or in "Routing Mode", either enter the IP manually or select the IP obtained by AscenLink from WAN link. Or in "Bridge Mode One Static IP", insert WAN IP, the public IP assigned from ISP. Or, if WAN type is none of the above, then choose "dynamic IP at WAN#". Service FTP(21) SSH(22) TELNET(23) SMTP(25) DNS(53) HTTP(80) POP3(110) H323(1720) ICMP TCP@ UDP@ Any... The TCP/UDP service type to be matched. Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in TCP/UDP packets. To specify a range of port numbers, type starting port number plus hyphen - and ending port number. e.g. TCP@123-234 Keep Session <Seconds> Tick or untick the box to decide whether to keep the session after a connection is successfully established. If users want to keep the session, then input a time period as users wish. The default time period is 30s. Server IP <IP Address> The real IP address of the server, probably in LAN or DMZ. Detect <ICMP> <TCP@> No-Detect Choose the protocol used for the detection of server status. Available choices are ICMP, TCP@, and No-Detect. Note: If users choose TCP@, users have to specify the associated port number. Service FTP(21) SSH(22) TELNET(23) SMTP(25) DNS(53) HTTP(80) POP3(110) The TCP/UDP service type to be matched. Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in TCP/UDP packet. To specify a range of port numbers, type starting port number plus hyphen - and ending port number. e.g. TCP@123-234 Chapter 3 Service 3-42 H323(1720) ICMP TCP@ UDP@ Any... Weight 1, 2, 3... A measure of heaviness. The weight with which to determine which server is used to respond the incoming requests. The higher the weight is, the greater chance the corresponding server is used. L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. Table 3.25 The Description of the Fields on Vitual Server Page AscenLink
User Manual 3-43 Example 1: Virtual Server Network Architecture:
Figure 3.17 Network Architecture for Virtual Server 1 The settings for virtual servers are listed below: IP address assigned to WAN1 is 211.21.48.194. (Please refer to [System] -> [Network Settings] -> [WAN Setting] for configurating WAN IPs.) IP address assigned to WAN2 is 211.21.33.186. Forward all HTTP requests (port 80) through WAN1 or WAN2 to two HTTP servers 192.168.0.100 and 192.168.0.101 in the LAN. Chapter 3 Service 3-44 Forward all FTP requests (port 21) through WAN1 or WAN2 to two FTP servers 192.168.0.200 and 192.168.0.201 in the LAN. Assign 211.21.48.195 and 211.21.48.189 to WAN 1 and forward all the requests to 211.21.48.195 or 211.21.48.189 to two SMTP servers 192.168.0.200 and 192.168.0.201 in the LAN. Forward all the requests to 211.21.48.197 to 192.168.0.15 in the LAN. Note: 1. AscenLink
can auto-detect both active and passive FTP servers; users dont need to worry about this. 2. All public IPs must be assigned to WAN 1. Please configure these IPs in the field IP(s) on Localhost of the Basic Subnet table on the [System] -> [Network Settings] -> [WAN Setting] -> [WAN Link 1] page. 3. Because 211.21.48.197 does not belong to a physical host, users must assign this IP to the WAN port. virtual server table for the above settings will look like this: WAN IP Service Server IP Detect Service Weight 192.168.0.100 TCP@80 HTTP(80) 1 211.21.48.194 HTTP (80) 192.168.0.101 ICMP HTTP(80) 1 192.168.0.100 ICMP HTTP(80) 1 211.21.33.186 HTTP (80) 192.168.0.101 TCP@80 HTTP(80) 2 192.168.0.200 ICMP FTP(21) 1 211.21.48.194 FTP (21) 192.168.0.201 TCP@21 FTP(21) 1 192.168.0.200 ICMP FTP(21) 1 211.21.48.186 FTP (21) 192.168.0.201 TCP@21 FTP(21) 1 192.168.0.200 ICMP SMTP(25) 1 211.21.48.195 SMTP (25) 192.168.0.201 TCP@25 SMTP(25) 1 192.168.0.200 ICMP SMTP(25) 1 211.21.48.189 SMTP (25) 192.168.0.201 TCP@25 SMTP(25) 1 211.21.48.197 Any 192.168.0.15 ICMP Any 1 Table 3.26 The Settings for Virtual Server Example 1 AscenLink
User Manual 3-45 Example 2: Virtual Server Network Architecture:
Figure 3.18 Network Architecture for Virtual Server 2 The settings for the virtual servers are listed below: Forward all the requests to 211.21.48.194 on TCP port 21 to the FTP Server 192.168.0.100. Chapter 3 Service 3-46 Let PcAnywhere from any place be able to control to the host 192.168.0.15 through the public IP 211.21.33.186. Note: PcAnywhere uses TCP port 5631 and UDP port 5632. Please refer to the PcAnywhere software manual. Forward all the requests to 211.21.48.194 on TCP port 2000~3000 to the host 192.168.0.15 in the LAN. Note: Port range redirection is also supported. virtual server table for the above settings will look like this: WAN IP Service Server IP Detect Service Weight 192.168.0.100 ICMP TCP@1999 1 211.21.48.194 TCP@1999 192.168.0.101 TCP@1999 TCP@1999 1 211.21.33.186 TCP@5631 192.168.0.15 ICMP TCP@5631 1 211.21.33.186 UDP@5632 192.168.0.15 TCP@5632 UDP@5632 1 211.21.48.194 TCP@2000-3000 192.168.0.15 ICMP TCP@2000-3000 1 211.21.48.194 UDP@2000-3000 192.168.0.15 ICMP UDP@2000-3000 1 Table 3.27 The Settings for Virtual Server Example 2 AscenLink
User Manual 3-47 3.6 Inbound BM Bandwidth management (BM) is a useful feature that helps the administrator allocate bandwidth for different types of service. Given that the bandwidth of WAN links is usually a limited resource, it becomes a crucial issue deciding how we can ensure enough bandwidth for mission critical applications to provide satisfactory quality. To address issues like this, users need a BM tool to adjust bandwidth utilization. Bandwidth Management (BM) in AscenLink
is separated by the direction of traffic flow - either inbound (from WAN to LAN) or outbound (from LAN to WAN). This section will only focus on the inbound BM, however, the configuration for outbound BM is similar and will be discussed in the next section.
Figure 3.19 The Location of Service/Inbound BM on the Menu Bar Chapter 3 Service 3-48 Inbound BM is consisted of two parts: Classes and Filters. The class table looks like this:
Figure 3.20 The Screenshot of Inbound BM Classes By clicking the button to the right of a class name, users can expand or collapse link settings and configure own bandwidth limit for each WAN link. Class: Field Description Name <input a name> The name for this bandwidth class. We recommend users using a self-explanatory name so users can understand it easily when it is used later in the filter table. For example, users can name bandwidth class HTTP to manage the bandwidth of HTTP services. Link - The WAN link which users want bandwidth limit to apply. Guaranteed Kbps The guaranteed bandwidth for this class. This makes sure the connections through the WAN link will at least be allocated with the specified bandwidth. It is particularly useful when users want to ensure the quality of a certain type of service (e.g. VoIP). Max Kbps This defines the maximum bandwidth allowed for the connections on the WAN link. Normally, we will set up maximum bandwidth for services like WWW or SMTP that have a high volume of traffic and may affect the quality of other services. Busy Hour Settings Note: Please see [System]->[Busyhour Setting] in chapter 2. Priority The priority of the connections on the WAN link. It can be High, Normal, or Low. The connections with higher priority are allocated with available bandwidth first. AscenLink
User Manual 3-49 Guaranteed Kbps The guaranteed bandwidth for this class. This makes sure the connections through the WAN link will at least be allocated with the specified bandwidth. It is particularly useful when users want to ensure the quality of a certain type of service (e.g. VoIP). Max Kbps This defines the maximum bandwidth allowed for the connections on the WAN link. Normally, we will set up maximum bandwidth for services like WWW or SMTP that have high volume of traffic and may affect the quality of other services. Idle Hour Settings Note: Please see [System]->[Busyhour Setting] in chapter 2.
Priority The priority of the connections on the WAN link. It can be High, Normal, or Low. The connections with higher priority are allocated with available bandwidth first. Table 3.28 The Description of the Fields in the Inbound BM Class Table Filter: In the filter table, users can set up the rules for filtering outside connections with a specific set of characteristics, and assign a BM class that will limit the bandwidth resources on these connections. Field Value Description E Enable (checked) Disable (unchecked) When the box is checked, the rule will be applied, on the contrary, it will be disabled if the box is unchecked. Source IP Address IP Range Subnet WAN FQDN
<IP Grouping Name> Connections established from the specified source will be matched: - IP Address: match connections established from a single IP address. e.:g. 192.168.1.4 - IP Range: match connections established from a continuous range of IP addresses. e.g. 192.168.1.10-192.168.1.20 - Subnet: match connections that come from a subnet. e.g.: 192.168.1.0/255.255.255.0 - WAN: match connections established from the WAN - FQDN: match connections established from FQDN. Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups.
Chapter 3 Service 3-50 Destination IP Address IP Range Subnet WAN LAN DMZ Localhost Any address FQDN <IP Grouping Name> Connections to the specified destination will be matched. This field is the same as the Source field, except it matches packets with the specified destination.
In addition, the predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Service FTP21 SSH (22) TELNET(23) SMTP(25) DNS(53) HTTP80 POP3(110) H323 (1720) ICMP TCP@ UDP@ Any... The TCP/UDP service type to be matched. Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in the TCP/UDP packet. To specify a range of port numbers, type the starting port number plus hyphen - and the ending port number. e.g. TCP@123-234. Service At WAN Non WAN Specify the location of the server that provides the service. - Non WAN: the server is located in the LAN or DMZ - WAN: the server is located in the WAN (Internet) Classes
<Name> The bandwidth class to be imposed. These classes are defined in the bandwidth class table we mentioned earlier.. L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. Table 3.29 The Description of the Fields in the Inbount BM Filter Table AscenLink
User Manual 3-51 Example 1: Inbound BM Network Architecture:
Figure 3.21 Network Architecture for Inbound BM 1 The requirements for inbound bandwidth management: The maximum bandwidth reserved for mail server 211.21.48.197 to download emails are 128K on WAN1, 64K on WAN2, and 128K on WAN3. The maximum bandwidth reserved for localhosts to download data from web servers on the Internet are 128K on WAN1, 64K on WAN2, and 64K on WAN3. The maximum bandwidth reserved for 192.168.0.100 to download data from FTP server on the Internet are 50K on WAN1, 30K on WAN2, and 30K on WAN3 with high priority in peak hours. See the table below for the remaining details in this BM class. See the table below for the BM details on the FTP server 211.21.48.198 in DMZ. Chapter 3 Service 3-52 class table for the above BM rules will look like this: Busy Hour Settings Idle Hour Settings Name Link Guaranteed Kbps Max bps Priority Guaranteed Kbps Max Kbps Priority WAN1 0 128 Normal 0 128 Normal WAN2 0 64 Normal 0 64 Normal Mail Server WAN3 0 128 Normal 0 128 Normal WAN1 0 128 Normal 0 128 Normal WAN2 0 64 Normal 0 64 Normal to LAN zone WAN3 0 64 Normal 0 64 Normal WAN1 20 50 High 20 50 High WAN2 0 30 High 100 200 High for 192.168.0.100 WAN3 0 30 High 100 200 High WAN1 200 500 Low 200 500 Low WAN2 0 512 Low 200 300 Low for DMZ zone WAN3 0 256 Low 200 300 Low Table 3.30 The Settings for Inbound BM Example 1: Classes filter table will look like this: Source Destination Service Service At Classes WAN 211.21.48.197 SMTP(25) Non WAN Mail Server WAN LAN HTTP(80) WAN to LAN zone WAN 192.168.0.100 FTP(21) WAN for 192.168.0.100 WAN 211.21.48.198 FTP(21) Non WAN for DMZ zone Table 3.31 The Settings for Inbound BM Example 1: Filters Downstream data can be considered for one of two scenarios. Take FTP as an example, the first scenario is that a local host downloads data from a remote FTP server in the WAN. The other one is that a remote user in the WAN uploads data to a FTP server in the LAN. Both of the scenarios are sending data from the WAN to the LAN. Thus, users need to configure BM rules for these two scenarios on the inbound BM page. AscenLink
User Manual 3-53 Example 2: Inbound BM Network Architecture: Client Side ISP 1 Internet 192.168.0.0/24 ISP 3 Mail server 211.21.48.197 ISP 2 FTP server 192.192.10.10 10.10.10.0/24 FTP server 211.21.48.198 192.168.100.0/24 192.168.0.100 512/64 512/64 1536/384
Figure 3.22 Network Architecture for Inbound BM 2 Chapter 3 Service 3-54 The requirements for the inbound bandwidth management: Set up a BM class for limiting bandwidth usage from FTP server 192.192.10.10 to the LAN. Set up a BM class for limiting bandwidth usage from any web server on the Internet to the hosts in the LAN with IPs ranging from 192.168.0.10 ~ 192.168.0.50. Set up a BM class for limiting bandwidth usage from any FTP server on the Internet to sub-network 192.168.100.0/24 in the LAN. Set up a BM class for limiting bandwidth usage from any WAN user to FTP server 211.21.48.198. class table for inbound BM: Busy Hour Settings Idle Hour Settings Name Link Guaranteed Kbps Max Kbps Priority Guaranteed Kbps Max Kbps Priority WAN1 0 128 Normal 0 512 Normal WAN2 0 128 Normal 0 512 Normal for LAN user WAN3 0 64 Normal 0 512 Normal WAN1 0 128 Normal 0 128 Normal WAN2 128 256 Low 0 512 Low for 192.168.0.10-192.168.0.50 WAN3 64 256 Low 0 512 Low WAN1 20 50 High 20 50 High WAN2 0 64 High 32 128 High for 192.168.100.0 FTP WAN3 0 64 High 32 128 High WAN1 200 500 Low 200 500 Low WAN2 0 512 Low 0 512 Low for WAN user upload WAN3 128 256 Low 256 512 Low Table 3.32 The Settings for Inbound BM Example 2: Classes AscenLink
User Manual 3-55 filter table will look like this: Source Destination Service Service At Classes 192.192.10.10 LAN FTP(21) WAN for LAN user WAN 192.168.0.10-192.168.0.50 HTTP(80) WAN for 192.168.0.10- 192.168.0.50 WAN 192.168.100.0/255.255.255.0 FTP(21) WAN for 192.168.100.0 FTP WAN 211.21.48.198 FTP(21) Non WAN for WAN user upload Table 3.33 The Settings for Inbound BM Example 2: Filters Note: During HTTP communication, clients send requests to the server, and vice versa, the server responds to clients. Usually, the bandwidth is hugely affected by the responses from the server to the client because they contain graphics or multimedia data. Thus, we only set up BM rules for managing HTTP responses in most cases. Chapter 3 Service 3-56 3.7 Outbound BM In contrast to inbound BM, outbound BM controls network streams that flow from the Intranet (LAN) to the Internet (WAN). The settings for the outbound BM are the same as inbound BM.
Figure 3.23 The Location of Service /Outbound BM on the Menu Bar Class: Field Description Name <input a name> The name for this bandwidth class. We recommend users use a self-explanatory name so users can understand it easily when it is being used later in the filter table. For example, users can name bandwidth class HTTP to manage the bandwidth of HTTP services.
Link - The WAN link which users want bandwidth limit to apply.
Busy Hour Settings
Guaranteed Kbps The guaranteed bandwidth for this class. This makes sure the connections through the WAN link will at least be allocated with the specified AscenLink
User Manual 3-57 bandwidth. It is particularly useful when users want to ensure the quality of a certain type of services (e.g. VoIP). Max Kbps This defines the maximum bandwidth allowed for the connections on the WAN link. Normally, we set up maximum bandwidth for services like WWW or SMTP that have a high volume of traffic and may affect the quality of other services. Note: Please see [System]->[Busyho ur Setting] in chapter 2.
Priority The priority of the connections on the WAN link. It can be High, Normal, or Low. The connections with higher priority are allocated with available bandwidth first. Guaranteed Kbps The guaranteed bandwidth for this class. This makes sure the connections through the WAN link will be at least allocated with the specified bandwidth. It is particularly useful when users want to ensure the quality of a certain type of services (e.g. VoIP). Max Kbps This defines the maximum bandwidth allowed for the connections on the WAN link. Normally, we setup maximum bandwidth for services like WWW or SMTP that have high volume of traffic and may affect the quality of other services. Idle Hour Settings
Note: Please see [System]->[ Busyho ur Setting] in chapter 2.
Priority The priority of the connections on the WAN link. It can be High, Normal, or Low. The connections with higher priority are allocated with available bandwidth first. Table 3.34 The Description of the Fields in the Outbound BM Class Table Chapter 3 Service 3-58 Filter: In the filter table, users can set up the rules for filtering outside connections with a specific set of characteristics, and assign a BM class that will limit the bandwidth resources on these connections. Field Value Description E Enable (checked) Disable (unchecked) When the box is checked, the rule will be applied, on the contrary, it will be disabled if the box is unchecked. Source IP Address IP Range Subnet LAN DMZ Localhost Any FQDN
<IP Grouping Name> Connections established from the specified source will be matched: - IP Address: match connections established from a single IP address. e.g.: 192.168.1.4 - IP Range: match connections established from a continuous range of IP addresses. e.g.: 192.168.1.10-192.168.1.20 - Subnet: match connections that come from a subnet. e.g.: 192.168.1.0/255.255.255.0 - LAN: match connections established from the LAN - DMZ : match connections established from DMZ. - Localhost: match connections established from AscenLink. - Any Address: match all connections regardless of its source. - FQDN: match connections established from FQDN. Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups.
Destination IP Address IP Range Subnet WAN FQDN
<IP Grouping Name> Connections to the specified destination will be matched. This field is the same as the Source field, except it matches packets with the specified destination.
In addition, the predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Service FTP21 SSH (22) TELNET(23) SMTP(25) DNS(53) HTTP80 POP3(110) H323 (1720) ICMP TCP@ UDP@ Any... The TCP/UDP service type to be matched. Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in TCP/UDP packet. To specify a range of port numbers, type the starting port number plus hyphen - and the ending port number. e.g. TCP@123-234. Service At WAN Non WAN Specify the location of the server that provides the service. - Non WAN: the server is located in the LAN or DMZ - WAN: the server is located in the WAN (Internet) AscenLink
User Manual 3-59 Classes <Name> The bandwidth class to be imposed. These classes are defined in the bandwidth class table we mentioned earlier. L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. Table 3.35 The Description of the Fields in the Outbound BM Filter Table Example 1: Outbound BM Network Architecture:
Figure 3.24 Network Architecture for Outbound BM 1 Chapter 3 Service 3-60 The requirements for the outbound bandwidth management: Set up a BM class for limiting bandwidth usage from FTP server 211.21.48.198 in DMZ to any users in the WAN. Set up a BM class for limiting bandwidth usage from POP3 server 211.21.48.197 in DMZ to any users in the WAN. class table for outbound BM: Busy Hour Settings Idle Hour Setting Name Link Guarante ed Kbps Max Kbps Priority Guarante ed Kbps Max Kbps Priority WAN1 0 128 Normal 0 512 Normal WAN2 0 128 Normal 0 512 Normal for FTP upload WAN3 0 64 Normal 0 512 Normal WAN1 0 128 Low 0 128 Low WAN2 0 128 Low 0 128 Low for mail server (POP3) WAN3 0 256 Low 0 512 Low Table 3.36 The Settings for Outbound BM Example 1: Classes And, filter table will look like this : Source Destination Service Service At Classes 211.21.48.198 WAN FTP(21) Non WAN for FTP upload 211.21.48.197 WAN POP3(110) Non WAN for mail server (POP3) Table 3.37 The Settings for Outbound BM Example 1: Filters Upstream data can be considered for one of two scenarios as well. Again, take FTP as an example, the first scenario is that a local host uploads data to a remote FTP server in the WAN. The other one is that a remote user in the WAN downloads data from a FTP server in the LAN. Both of the scenarios are sending data from the LAN to the WAN. Thus, users need to configure BM rules for these two scenarios on the outbound BM page. AscenLink
User Manual 3-61 Example 2: Outbound BM Network Architecture:
Figure 3.25 Network Architecture for Outbound BM 2 The requirements for the outbound bandwidth management: Set up a BM class for limiting bandwidth usage from virtual FTP server 192.168.0.100 in the LAN to any users in the WAN. Note: When configuring filters on virtual servers, users must specify the private IP assigned to the virtual server, not the translated public IP. Chapter 3 Service 3-62 Set up a BM class for limiting bandwidth usage from host 211.21.48.198 in DMZ to sub-network 10.10.10.0/24 in the WAN. class table for the above BM rules will look like this: Busy Hour Setting Idle Hour Setting Name Link Guaranteed Kbps Max Kbps Priority Guaranteed Kbps Max Kbps Priority WAN1 100 200 Normal 0 512 Normal WAN2 50 100 Normal 0 512 Normal for FTP WAN3 50 100 Normal 0 512 Normal WAN1 0 128 Low 0 256 Low WAN2 0 128 Low 0 256 Low for 10.10.10.0 WAN3 0 256 Low 0 512 Low Table 3.38 The Settings for Outbound BM Example 2: Classes And, filter table will look like this: Source Destination Service Service At Classes 192.168.0.100 WAN FTP non-WAN for FTP 211.21.48.198 10.10.10.0/255.255.255.0 Any non-WAN for 10.10.10.0 Table 3.39 The Settings for Outbound BM Example 2: Filters AscenLink
User Manual 3-63 3.8 Connection Limit Connection Limit is a useful feature to restrict the number of connections to remain less than a threshold. When the number of connections exceeds the limit, the system will automatically log the event to a file (when logging is enabled). One application to connection limit is to detect exceptionally high volumes of traffic caused by malicious attacks. In this case, AscenLink
can protect the network from jamming up by rejecting additional connections above a threshold.
Figure 3.26 The Location of Service /Connection Limit on the Menu Bar Chapter 3 Service 3-64 Available fields in connection limit function:
Figure 3.27 The Screenshot of Connection Limit 1. Log Interval: Table 3.40 The Settings of Connection Limit Log Interval 2. Rules: Field Value Description Source IP Address IP Range Subnet WAN LAN DMZ Connections established from the specified source will be matched: - IP Address: match connections established from a single IP address. e.g.: 192.168.1.4 - IP Range: match connections established from a continuous range of IP addresses. Field Value Description Log Interval <second> The log interval determines how often the system will write to the log file when the number of the connections exceeds the limit defined in the rules table. For example, if users set the log interval to 5 seconds, the system will log the event every 5 seconds when the number of the connections exceeds the limit. Of course, shorter interval will result in more records in the log. AscenLink
User Manual 3-65 Any Address FQDN
<IP Grouping Name> e.g.: 192.168.1.10-192.168.1.20 - Subnet: match connections that come from a subnet. e.g.: 192.168.1.0/255.255.255.0 - LAN: match connections established from the LAN - DMZ: match connections established from DMZ. - Localhost: match connections established from AscenLink. - Any Address: match all connections regardless of its source. - FQDN: match connections established from FQDN. Apart from the options listed above, predefined IP groups will be shown in the list as well. Please See [System]->[IP Grouping] for setting up own IP groups. Limit <The number of connections> The maximum number of the connections L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. Table 3.41 The Settings of Connection Limit Rules Example: In this example, the number of connections cannot exceed 500 for every host in sub-network 192.168.1.1-192.168.1.254. If any of them has more than 500 connections, the system will record an event to the log file every 5 seconds.
Figure 3.28 Example of Connection Limit Chapter 3 Service 3-66 3.9 Cache Redirect AscenLink
is capable of working seamlessly with external cache servers. When a user wants to request a page from a web server on the Internet, AscenLink
will redirect the request to the cache server. If the requested web page is already on the cache server, the cache server will return the page to the user, saving a lot of time in retrieving data on the Internet. Note: Cache Server can be located in DMZ.
Figure 3.29 The Location of Service /Cache Redirect on the Menu Bar AscenLink
User Manual 3-67 In this page, users can set up own cache servers. However, cache servers have to support caching in transparent mode. The settings for cache redirect will look like the screenshot below, divided into two parts:
Figure 3.30 The Settings of Cache Redirect 1. Cache Group Users can configure cache server group in the first table. Multiple groups are allowed to have different sets of rules which users will then create on the second table. In addition, the number of cache servers is not limited to one. Users can have multiple cache servers with different weights in the cache server group. Field Value Description Group Name < Group Name> own name for this cache server group IP <IP address> The IP address of the cache server Port Eg: 80 The port number of the cache server Weight Eg: 1,2 The weight for redirecting the requests to this cache server. A higher value means a greater the chance. Associated WAN NO, 1, 2 The WAN link this cache server uses. To let the Auto-routing service decide the WAN link used, please choose NO. Table 3.42 The Description of the Fields in Cache Group Chapter 3 Service 3-68 2. Redirect Rule Table 3.43 The Description of the Fields in Redirect Rules Users can set up redirect rules so that matched requests will be redirected to the specific cache server group. Field Value Description Source IP Address IP Range Subnet LAN DMZ Any Address <IP Grouping Name> The source where the request originates. The request with this source will be redirected to the cache server. Users need to specify the IP or IPs when choosing IP Address or IP Range or subnet. Destination IP Address IP Range Subnet WAN <IP Grouping Name> The destination where the request is sent to. The requests with this destination will be redirect to the cache server. Users need to specify the IP or IPs when choosing IP Address or IP Range or subnet.
Port Eg: 80 The service port number. The request with this service port number will be redirected to the cache server. Group NO REDIRECT or <Group Name> Select NO REDIRECT if users do not want the requests to be redirected. Or, users can tell AscenLink to redirect the requests to a group of cache server(s) by its group name. L Enable Disable Enable logging or not: If the box is checked, the logging will be enabled. Whenever the rule is matched, the system will write the event to the log file. AscenLink
User Manual 3-69 Example 1: The Requested Web Page is NOT on the Cache Server Client Side ISP Internet 192.168.0.0/24 WAN LAN DMZ Cache Server Server 192.192.10.100 211.21.48.194 Client 1 2 3 4 5
Figure 3.31 The Sequence of the Requests and Responses in Cache Miss Case When AscenLink
receives a request from a client, the request will be redirected to the cache server. The cache server will see if the data requested already exists. If not, the cache server will request the data on behalf of the client and return the data from the web server to the client. Please refer to the figure shown above. Chapter 3 Service 3-70 Example 2: The Requested Web Page is on the Cache Server
Figure 3.32 The Sequence of the Requests and Responses in Cache Hit Case When AscenLink
receives a request from a client, the request will be redirected to the cache server. In this case, the data requested already exists on the cache server. It will return the data requested to the client without passing the request to the web server on the Internet. AscenLink
User Manual 3-71 3.10 Tunnel Routing
Figure 3.33 The Location of Service /Tunnel Routing on the Menu Bar The term Tunnel Routing (abbreviated as TR) refers to building a special connection between two AscenLink machines, which only designated groups are allowed to use. The advantage of TR is that when a WAN link fails in one of the AscenLink machines, the packets sent from the designated groups can still be routed to other AscenLink machines so that the transfer can be continued. Since Release version 5.1, AscenLink can support tunnels with dynamic IPs, further benefiting customers with dynamic IP ADSL connections. In addition, the TR also supports the notion of central routing, for supporting branch offices accessing the Internet via headquarters WAN links. Chapter 3 Service 3-72 Another enhancement of TR is TR/AR backup. In other words, when TR failed (possibly due to all of the WAN links in the TR failed), then the traffic can fall back to the remaining WAN links using the Auto Routing configuration. For a set of branch offices all connecting to the HQ, AscenLinks TR function can further support routing of traffic among branch offices via the HQ. The page features two tabs: setting and benchmark. 1. Setting: This page allows administrators to configure tunnel routing policies. 2. Benchmark: After establishing tounel routing, administrators can test packets dropping and latency of two ends.
AscenLink
User Manual 3-73 3.10.1 Tunnel Routing---Setting In the tunnel routing configuration page, the three main settings are: Tunnel Route Log, Local Host ID, and Key In this fields, users can select whether to enable or disable the Tunnel Route logging. Users can also define a logical name as the Local Host ID, i.e., the Name for this machine in the Tunnel Group definition. The Local Host ID is particularly important in the case of Dynamic IP since we do not have a fixed IP to be referenced by the other side in the Tunnel. To encrypt the established tunnel, key is required. Field Value Description Tunnel Route Log Enable Disable Turn on Tunnel Route logging Turn off Tunnel Route logging Local Host ID e.g.: 12xyz.b_d-xxx Input the logical name for this unit Key e.g.: 1234 Enter the key. Confirm e.g.: 1234 Confirm the key above. Table 3.44 Description of Tunnel Route Log and Local Host ID Chapter 3 Service 3-74 Tunnel Group In this table, the designated group allowed to use the tunnel can be set by entering source or destination IP addresses. A group may be assigned to multiple tunnels. Field Value Description Group Name <group name> Enter the name of the group. Remote Host ID Eg:11xyz.b_d-yyy Input the Host ID of the Remote machine in the Tunnel Algorithm Round-Robin By Traffic Round-Robin: Route the connection on every tunnel by weight. By Traffic: Route the connection on the tunnel with lightest traffic flows. Note: Please specify the weight value in the Weight field of Group Tunnels if users select Round-Robin algorithm. Local IP IP Address (NAT)IP Address Dynamic IP (NAT) Dynamic IP Enter the local/source address if the WAN link has a fixed IP. (NAT)IP Address: Static IP translated via NAT. Select <Dynamic IP> if the WAN link is of Dynamic IP. (NAT) Dynamic IP: Dynamic IP translated via NAT. Remote IP IP Address Dynamic IP Enter the remote/destination IP addres if the WAN link has a fixed IP. Select <Dynamic IP> if the WAN link is of Dynamic IP. Weight Eg: 1,2 The weight/priority of the tunnel. The higher the weight, the more likely the it can use the tunnels.
Group Tunnels Encrypt Check the box to enable encryption. Check the box to enable encryption over this tounnel routing. When new tunnel has not yet been established, it will perform two default rules: one rule from LAN, the other from DMZ. Administrators are able to configure on two units to build up the tunnel.When certain default rule is enabled, all the tunnels whose rules are not configured will perform this default rule. E Check the box to enable Default Rule. Check to enable the rule. Default Rule Source IP Address IP Range Subnet LAN DMZ The source of the connection: -IP Address format of a single IP on one server: xxx.xxx.xxx.xxx -IP Range format of a range of IP addresses on several servers: xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy -Subnet format of a subnet address: xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -LAN format of the LAN address -DMZ format of the DMZ address -Any address AscenLink
User Manual 3-75 Fail-over No Action Auto Routing Tunnel: New Group Select a policy from the drop-down list. When WAN failure occurs, traffic will be diverted to back up tunnels based on Fail-over policies. Table 3.45 The Description of the Fields in Tunnel Group Routing Rules Field Value Description Source
IP Address IP Range Subnet LAN DMZ Any Address The source of the connection: -IP Address format of a single IP on one server is: 192.168.1.4 -IP Range format of a range of IP addresses on several servers are: 192.168.1.10-192.168.1.20 -Subnet format of a subnet address, for example: 192.168.1.0/255.255.255.0 -LAN format of the LAN address -DMZ format of theDMZ address -Any address Destination IP Address IP Range Subnet WAN The destination of the connection: -IP Address format for a single IP address on one server is: 192.168.1.4 -IP Range format of a range of IP address on several servers are: 192.168.1.10-192.168.1.20 -Subnet format of a subnet address, for example: 192.168.1.0/255.255.255.0 -WAN format of WAN address Service FTP SSH TELNET SMTP DNS HTTP POP3 H323 ICMP ... TCP@ UDP@ Protocol# Any The TCP/UDP service type to be matched. The default is "Any". Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in TCP/UDP packet. To specify a range of port numbers, type starting port number plus hyphen "-" and then end port number. e.g. "TCP@123-234". Group No action Group The group permitted to use the tunnel. Fail-Over No action Auto Routing Group.. This field defines the fail-over policy hhen the WAN links in the Group for the Routing Rules fail. Possible options are: - NO-ACTION: do nothing - Auto-Routing: Packet will fall back to the defined Auto Routing policies - Tunnel Group: Packets will fal back to the selected tunnel groups. Notice selecting the original tunnel group is the same as NO-ACTION Table 3.46 The Description of the Fields in Routing Rules Chapter 3 Service 3-76 Persistent Rules Field Value Description Source
IP Address IP Range Subnet LAN DMZ Any Address The source of the connection: -IP Address format of a single IP on one server is: 192.168.1.4 -IP Range format of a range of IP addresses on several servers are: 192.168.1.10-192.168.1.20 -Subnet format of a subnet address, for example: 192.168.1.0/255.255.255.0 -LAN format of LAN address -DMZ format of DMZ address -Any address Destination IP Address IP Range Subnet WAN The destination of the connection: -IP Address format for a single IP address on one server is: 192.168.1.4 -IP Range format of a range of IP addresses on several servers are: 192.168.1.10-192.168.1.20 -Subnet format of a subnet address, for example: 192.168.1.0/255.255.255.0 -WAN format of WAN address Service FTP SSH TELNET SMTP DNS HTTP POP3 H323 ICMP ... TCP@ UDP@ Protocol# Any The TCP/UDP service type to be matched. The default is "Any". Users can select the matching criteria from the publicly known service types (e.g. FTP), or users can choose the port number in TCP/UDP packet. To specify a range of port numbers, type starting port number plus hyphen "-" and then end port number. e.g. "TCP@123-234". Table 3.47 The Description of the Fields in Persistent Rules
AscenLink
User Manual 3-77 3.10.2 Tunnel Routing---Benchmark In testing, set one AscenLink as server end, and the other servers as client end by default. Simply click Start Test Server on one device to set it as server end. Testing over tunel groups is conducted on client end. Click the button to start or stop test. Users are able to choose one or all tunnels to perform test. Click Stop to stop the test.
Field Value Description Test Port e.g.: 65535 Defines test port number for the device. Start Test Server
click it to set the device as server end. Test Click to start test. Show Test Result
Click the button to view test results. Table 3.48 The Description of the Fields in Benchmark DO NOT SWITCH THE PAGE OR TURN OFF THE WINDOW when AscenLink is running test. Refer to the testing page table below. Field Description Tunnel Group Displays name of testing group. Tunnel Displays all tunnels in this tunnel group. Administrators are allowed to test one or all tunnels in this group. Status Test is not started or test is complete. Waiting for test. Testing. Test is failed. RTT Displays RTT value of both ends of tunnel. This value is tested with zero traffic load. Without Traffic Packet Loss Displays packet loss percentage. This percentage is tested with zero traffic load. Bandwidth Displays bandwidth of test result of this tunnel. RTT Displays RTT value of both ends of tunnel. This value is tested with full traffic load. With Traffic Packet Loss Displays packet loss percentage. This percentage is tested with full traffic load. Table 3.49 The Description of the Testing Page Chapter 3 Service 3-78 Example 1: A companys headquarters is located in Taichung, and has branch offices in Taipei and Kaohsiung. Each office has a LAN, two WAN links and a DMZ with VPN gateway. The details are as follows: Taichung Taipei Kaohsiung WAN 1 1.1.1.1 2.2.2.2 6.6.6.6 WAN 2 3.3.3.3 4.4.4.4 8.8.8.8 WAN 3 Dynamic IP N/A 10.10.10.10 VPN Gateway 1.1.1.11 2.2.2.22 6.6.6.66 LAN 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 Table 3.50 Example of Tunnel Routing The setting for the Taichung headquarters is as follows: Set the Localhost ID as T1, and decide whether to turn on Tunnel Route Log of choice. Tunnel Group + Group Name Remote Host ID Algorithm Tunnels
+ Local IP Remote IP Weight + - Kaohsiung K3 Round-Robin + - 1.1.1.1 6.6.6.6 1 + - 3.3.3.3 8.8.8.8 1 + - 5.5.5.5 10.10.10.10 1 + -
Kaohsiung Backup K3 Round-Robin
Table 3.51 The Settings for Tunnel Routing Example 1: Tunnel Groups AscenLink
User Manual 3-79 Routing Rules + Source Destination Use Group Fail-over + - 1.1.1.11 2.2.2.22 Taipei Backup Taipei + - 1.1.1.11 6.6.6.66 Kaohsiung Backup Kaohsiung + - 192.168.1.1-192.168.1.10 192.168.2.1-192.168.2.10 Taipei AR + - 192.168.1.1-192.168.1.10 192.168.2.1-192.168.2.10 Kaohsiung No-Action Table 3.52 The Settings for Tunnel Routing Example 1 : Routing Rules The setting for the Taipei branch office is as follows: Set the Localhost ID as T2, and decide whether to turn on Tunnel Route Logging of choice. Tunnel Group + Group Name Remote ID Algorithm Tunnels
Table 3.53 The Settings for Tunnel Routing Example 2 : Tunnel Group Routing Rules + Source Destination Use Group Fail-over + - 192.168.2.1-192.168.2.10 192.168.1.1-192.168.1.10 Taichung No-Action + - 2.2.2.22 1.1.1.11 Taichung AR Table 3.54 The Settings for Tunnel Routing Example 2 : Routing Rules Chapter 3 Service 3-80 The setting for the Kaohsiung branch office is as follows: Set the Localhost ID as K3, and decide whether to turn on Tunnel Route Logging of choice. Tunnel Group + Group Name Remote ID Algorithm Tunnels
Table 3.55 The Settings for Tunnel Routing Example 3 : Tunnel Group Routing Rules + Source Destination Use Group Fail-over + - 192.168.3.1-192.168.3.10 192.168.1.1-192.168.1.10 Taichung No-Action + - 6.6.6.66 1.1.1.11 Taichung AR Table 3.56 The Settings for Tunnel Routing Example 3 : Routing Rules According to the above description, any data sent from 1.1.1.11 (or 192.168.1.1-192.168.1.10) to 2.2.2.22 will be wrapped and sent as a GRE packet. If 1.1.1.1 experiences a failed WAN link, the packet will still be sent from 3.3.3.3 to continue the transfer. AscenLink
User Manual 3-81 NOTE: When using tunnel routing in AscenLink, the settings must correspond to each other or else tunnel routing will not function properly. For example, if AscenLink in Taipei has removed the values 2.2.2.2 to 3.3.3.3 in its routing rule settings, then the AscenLink in Taichung cannot use this rule even if it has included it in its settings. To assign the bandwidth for each tunnel, select [Service]->[Inbound BM] and [Outbound BM], and assign the maximum and minimum bandwidth for GRE packets. The following is an example using the AscenLink in Taipei: Filter (For Inbound BM) Source Destination Service Service Location Service Type 1.1.1.1 2.2.2.2 GRE WAN Taichung-VPN 1.1.1.1 4.4.4.4 GRE WAN Taichung-VPN 3.3.3.3 2.2.2.2 GRE WAN Taichung-VPN 3.3.3.3 4.4.4.4 GRE WAN Taichung-VPN Table 3.57 The Settings for Tunnel Routing Example : Inbound BM Filter Filter (Outbound BM) Source Destination Service Service Location Service Type 2.2.2.2 1.1.1.1 GRE WAN Taichung-VPN 2.2.2.2 3.3.3.3 GRE WAN Taichung-VPN 4.4.4.4 1.1.1.1 GRE WAN Taichung-VPN 4.4.4.4 3.3.3.3 GRE WAN Taichung-VPN Table 3.58 The Settings for Tunnel Routing Example : Outbound BM Filter Example 2: Tunnel Routing with Dynamic IP A firm headquartered in Beijing has a branch office in Shanghai. In the headquarters, two WAN links are deployed: one fixed IP WAN link and one dynamic IP WAN link; in the Shanghai office, two dynamic IP WAN links are deployed. Requirements Chapter 3 Service 3-82 As illustrated in the diagram below, a tunnel is established through AscenLink between LAN1 and LAN2. Packets are transferred via two WAN links evenly.
Figure 3.34 Example 2 of Tunnel Routing The detailed information is as follows:
Beijing Shanghai WAN 1 211.21.33.186 Dynamic IP WAN 2 Dynamic IP Dynamic IP LAN 192.168.1.0/24 192.168.2.0/24 Table 3.59 TR Example 2: WAN LinkIinformation Settings for Beijing Headquarters AscenLink
User Manual 3-83 Log and Local Host ID: Tunnel Route Log Enabled Local Host ID Beijing Table 3.60 TR Example 2: Settings of Log and Local Host ID (Beijing) Tunnel Group + Group Name Remote Host ID Algorithm Tunnels
+ Local IP Remote IP Weight + - 211.21.33.186 Dynamic IP at WAN1 1 + - Dynamic IP at WAN2 Dynamic IP at WAN2 1 + - Beijing to Shanghai Shanghai Round-Robin
Table 3.61 TR Example 2: Tunnel Group Settings in Beijing Headquarters Routing Rules + Source Destination Use Group Fail-Over + - 192.168.1.0/255.255.25 5.0 192.168.2.0/255.255.25 5.0 Beijing to Shanghai No-ACTION Table 3.62 TR Example 2: Routing Rules in Beijing Headquarters Settings for Shanghai Office Log and Local Host ID: Tunnel Route Log Enabled Local Host ID Shanghai Table 3.63 TR Example 2: Settings of Log and Local Host ID (Shanghai) Tunnel Group + Group Name Remote Host ID Algorithm Tunnels Chapter 3 Service 3-84
+ Local IP Remote IP Weight + - Dynamic IP at WAN1 211.21.33.186 1 + - Dynamic IP at WAN2 Dynamic IP at WAN2 1 + - Shanghai to Beijing
Beijing Round-Robin
Table 3.64 TR Example 2: Tunnel Group Settings in Shanghai Office Routing Rules + Source Destination Use Group Fail-Over + - 192.168.2.0/255.255.25 5.0 192.168.1.0/255.255.25 5.0 Shanghai to Beijing No-ACTION Table 3.65 TR Example 2: Routing Rules in Shanghai Office Example 3: Forwarding of Tunnel Routing A firm is headquartered in San Jose and has two branch offices in Beijing and Hong Kong respectively. Each office deploys a public line to access to the Internet. Each branch office sets up an individual tunnel with the headquarters office to access to the corporate network information. Requirement The LAN in Beijing and Hong Kong office can communicate with each other via the tunnel established with San Jose. AscenLink
User Manual 3-85
Figure 3.35 Example 3 of Tunnel Routing The detailed WAN link information is as follows:
San Jose Beijing Hong Kong WAN 1 1.1.1.1 WAN 2 2.2.2.2 WAN 3 3.3.3.3 LAN 192.168.1.0/24 192.168.2.0/24 Table 3.66 TR Example 3: WAN Link Information Settings for the headquarters in San Jose: Log and Local Host ID: Chapter 3 Service 3-86 Tunnel Route Log Enabled Local Host ID SanJose Table 3.67 TR Example 3: Settings of Log and Local Host ID (San Jose) Tunnel Group + Group Name Remote Host ID Algorithm Group Tunnels
+ Local IP Remote IP Weight + - 3.3.3.3 1.1.1.1 1 + - San Jose to Beijing Beijing Round-Robin
+ Local IP Remote IP Weight + - 3.3.3.3 2.2.2.2 1 + - San Jose to Hong Kong Hong Kong Round-Robin
Table 3.68 TR Example 3: Tunnel Group Settings in San Jose Headquarters AscenLink
User Manual 3-87 Routing Rules + Source Destination Group Fail-Over + - 192.168.1.0/255.255.25 5.0 192.168.2.0/255.255.25 5.0 San Jose to Beijing No-ACTION + - 192.168.2.0/255.255.25 5.0 192.168.1.0/255.255.25 5.0 San Jose to Hong Kong No-ACTION Table 3.69 TR Example 3: Routing Rules in San Jose Headquarters Settings for the branch office in Beijing: Log and Local Host ID: Tunnel Route Log Enabled Local Host ID Beijing Table 3.70 TR Example 3: Settings of Log and Local Host ID (Beijing) Tunnel Group + Group Name Remote Host ID Algorithm Group Tunnels
+ Local IP Remote IP Weight + - 1.1.1.1 3.3.3.3 1 + - Beijing to San Jose San Jose Round-Robin
Table 3.71 TR Example 3: Tunnel Group Settings in Beijing Branch Office Routing Rules + Source Destination Group Fail-Over + - 192.168.1.0/255.255.25 5.0 192.168.2.0/255.255.25 5.0 Beijing to San Jose No-ACTION Table 3.72 TR Example 3: Routing Rules in Beijing Branch Office Chapter 3 Service 3-88 Settings for the branch office in Hong Kong: Log and Local Host ID: Tunnel Route Log Enabled Local Host ID Hong Kong Table 3.73 TR Example 3: Settings of Log and Local Host ID (Hong Kong) Tunnel Group + Group Name Remote Host ID Algorithm Group Tunnels
+ Local IP Remote IP Weight + - 2.2.2.2 3.3.3.3 1 + - Hong Kong to San Jose Hong Kong Round-Robin
Table 3.74 TR Example 3: Tunnel Group Settings in Hong Kong Branch Office Routing Rules + Source Destination Group Fail-Over + - 192.168.2.0/255.255.25 5.0 192.168.1.0/255.255.25 5.0 Hong Kong to San Jose No-ACTION Table 3.75 TR Example 3: Routing Rules in Hong Kong Branch Office AscenLink
User Manual 3-89 Example 4: Central Routing of Tunnel Routing A firm is headquartered in San Jose and has two branch offices in Beijing and Hong Kong respectively. An Intranet is established throughout the three locations. The branch office in Hong Kong does not deploy any public link to visit the Internet but use the tunnel established with the headquarters to access to the Internet via the WAN link in San Jose. The Beijing branch office deploys a public WAN link to access to the Internet. In the event of failure on this WAN link, the tunnel between Beijing office and San Jose office will be the backup line for the Internet service.
Figure 3.36 Example 4 of Tunnel Routing Chapter 3 Service 3-90 The detailed WAN link information is as follows:
San Jose AscenLink 3 Beijing AscenLink 1 Hong Kong AscenLink 2 WAN 1 1.1.1.1 WAN 2 2.2.2.2 WAN 3 3.3.3.3 WAN 4 4.4.4.4 WAN 5 5.5.5.5 LAN 192.168.1.0/24 192.168.2.0/24 Table 3.76 TR Example 4: WAN Link Information Settings for the headquarters in San Jose: Tunnel Routing Setting: Log and Local Host ID: Tunnel Route Log Enabled Local Host ID SanJose Table 3.77 TR Example 4: Settings of Log and Local Host ID (San Jose) Tunnel Group + Group Name Remote Host ID Algorithm Group Tunnels
+ Local IP Remote IP Weight + - 3.3.3.3 1.1.1.1 1 + - San Jose to Beijing Beijing Round-Robin
+ Local IP Remote IP Weight + - 3.3.3.3 2.2.2.2 1 + - San Jose to Hong Kong Hong Kong Round-Robin
Table 3.78 TR Example 4: Tunnel Group Settings in San Jose Headquarters AscenLink
User Manual 3-91 Routing Rules + Source Destination Group Fail-Over + - Any Address 192.168.2.0/255.255.25 5.0 San Jose to Hong Kong No-ACTION + - Any Address 192.168.1.0/255.255.25 5.0 San Jose to Beijing No-ACTION Table 3.79 TR Example 4: Routing Rules in San Jose Headquarters Auto Routing Setting: Policies Label Algorithm Parameter WAN4 Fixed Tick the box 4 Default Policy By Downstream Traffic Tick all boxes 1, 2, 3, 4... Table 3.80 TR Example 4: Auto Routing policies in San Jose Headquarters Filters Source Destination Service Routing Policy Fail-Over Policy Tunnel WAN Any WAN4 Default Policy Any Address WAN Any Default Policy No-ACTION Table 3.81 TR Example 4: Auto Routing Filters in San Jose Headquarters Settings for the branch office in Beijing: Log and Local Host ID: Tunnel Route Log Enabled Local Host ID Beijing Table 3.82 TR Example 4: Settings of Log and Local Host ID (Beijing) Tunnel Group + Group Name Remote Host ID Algorithm Group Tunnels + - Beijing to San Jose Round-Robin Chapter 3 Service 3-92 + Local IP Remote IP Weight + - 1.1.1.1 3.3.3.3 1 San Jose
Table 3.83 TR Example 4: Tunnel Group Settings in Beijing Branch Office Routing Rules + Source Destination Group Fail-Over + - Any Address WAN Beijing to San Jose No-ACTION Table 3.84 TR Example 4: Routing Rules in Beijing Branch Office Settings for the branch office in Hong Kong: Tunnel Routing Setting: Log and Local Host ID: Tunnel Route Log Enabled Local Host ID Hong Kong Table 3.85 TR Example 4: Settings of Log and Local Host ID (Hong Kong) AscenLink
User Manual 3-93 Tunnel Group + Group Name Remote Host ID Algorithm Group Tunnels
+ Local IP Remote IP Weight + - 2.2.2.2 3.3.3.3 1 + - Hong Kong to San Jose Hong Kong Round-Robin
Table 3.86 TR Example 4: Tunnel Group Settings in Hong Kong Branch Office Routing Rules + Source Destination Group Fail-Over + - 192.168.2.0/255.255.25 5.0 192.168.1.0/255.255.25 5.0 Hong Kong to San Jose No-ACTION Table 3.87 TR Example 4: Routing Rules in Hong Kong Branch Office Auto Routing Setting: Policies Label Algorithm Parameter WAN5 Fixed Tick the box 5 Default Policy By Downstream Traffic Tick all boxes 1, 2, 3, 4... Table 3.88 TR Example 4: Auto Routing policies in Hong Kong Branch Office Filters Source Destination Service Routing Policy Fail-Over Policy Any Address WAN Any WAN5 Tunnel: Hong Kong to San Jose Any Address WAN Any Default Policy No-ACTION Table 3.89 TR Example 4: Auto Routing Filters in Hong Kong Branch Office Chapter 3 Service 3-94 3.11 Multihoming AscenLinks auto-routing service is a trunking technology that provides load balancing and fault tolerance for all outbound requests. But it does not apply to inbound requests. Based on a unique technology called SwiftDNS, AscenLink offers a multihoming service of load balancing and fault tolerance for inbound requests. The minimum requirements for multihoming is that users must have multiple WAN links and registered domain names for publicly accessible servers. Whenever AscenLink receives a DNS query, it will answer with a public IP address assigned to one of the WAN links according to the settings of answering policies. Therefore, subsequent requests to server will be sent to a public IP of the WAN link based on AscenLinks previous response. Users can configure the answering policies with a weight for each WAN link so the returned public IPs will be distributed evenly by weight. Also the device can automatically detect the links by Optimum Route Algorithm to return a better link to WAN visitors. If one of WAN links fails, AscenLink will not return the public IP assigned to that failed link nevertheless publicly accessible servers are still reachable via other live WAN links. AscenLink
User Manual 3-95
Figure 3.37 The Location of Service / Multihoming on the Menu Bar AscenLink offers two mechanisms for Multihoming: Internal DNS and DNS Relay. The details of these mechanisms are explained in this section. Chapter 3 Service 3-96 3.11.1 Prerequisites for Multihoming In order to let multihoming function properly, please make sure that the requirements listed below are met. Prerequisites for Multihoming: Mulitple WAN links (at least two). Registered domain names for publicly accessible servers. Publicly accessible servers must be configured as virtual servers, or have public IP addresses. AscenLink
User Manual 3-97 3.11.2 Multihoming Setting Check the box to enable Multihoming . AscenLinks multihoming supports backup. Administrators can check Enable Backup and specify the backup device IP to enable the function. Unlike Enable Relay, Enable Multihoming will conduct DNS analysis on local host. There are three tables for configuring multihoming settings. The first table defines global settings. The second is for policies setting, telling AscenLink which WAN links IP address to return for DNS queries. The third is used to configure domain name settings. Global Settings
Figure 3.38 Global Setting in Multihoming Policy Field Value Description TTL <TTL> Set DNS query response time. TTL (Time To Live) Specifies the amount of time other DNS servers and applications are allowed to cache the record.vvv IP Address <IP Address> Enter the reverse loopup IP address Host Name <Link Number> Enter the corresponding FQDN to the reverse IP. Table 3.90 The Description of the Fields in Multihoming Global Setting Chapter 3 Service 3-98 Policy Setting
Figure 3.39 The Settings of Multihoming Policy Field Value Description Enable Multihoming Enable Disable Enable or disable multihoming service.
Ploicy Name
<Policy Name>
The name of the policy. It is recommended that users name each policy with a descriptive name. It will be displayed in the domain setting later on. Algorithm By Weight By Downstream By Upstream By Total Traffic By Optimum Route The algorithm for selecting WAN links. This is done by answering DNS queries. - By Weight: answer DNS queries by the weight given to each link. - By Downstream: answer DNS queries by selecting the WAN link with the lightest downstream traffic. - By Upstream: answer DNS queries by selecting the WAN link with the lightest upstream traffic. - By Total Traffic: answer DNS queries by selecting the WAN link with the lightest total traffic. - By Optimum Route: answer DNS queries by selecting the best WAN link according to the configurantion in Optimum Route Detection. WAN Link <Link Number> The WAN link to be answered by DNS resolver. IP Address <IP Address> The public IP addresses on this WAN link. Weight Weight The weight of each WAN link AscenLink
User Manual 3-99 Table 3.91 The Description of the Fields in Multihoming Policy Domain Setting In this table, users should configure domain settings, including multihoming domain names (can be more than one), the DNS servers for querying domain names, and the answering policy to apply to a given prefix of the domain name.
Chapter 3 Service 3-100 Figure 3.40 Domain Setting Field Description Domain Name Enter the domain names for multihoming. To enter additional domain names, press +. TTL Assign DNS query response time. Responible Mail Enter the domain administrators email. Primary Name Server Enter the primary server name. Source IP The query IP address, can be Any IP, IP, IP range, subnet, or prfedefined IP groups. NS Record Name Server Enter the prefix of the server name. For example, if a servers FQDN is nsl.abc.com, please enter nsl. IP Address Enter the IP address corresponding to the name server. A Record Host Name Enter the prefix of the primary workstations name. For example, if the name is www.abc.com, enter www. When Available options are: All-Time/Busy/Idle IP Address Enter the IP address of the primary workstation. To Policy Select the domain setting policy to be used. TTL TTL (Time To Live) specifies the amount of time A Record is allowed to cache the record. CName Record Alias Enter the alias of the domain name. For example, if users wish to use www1.abc.com as the aliais of www.abc.com, (domain name), enter www1 in this field. Target Enter the real domain name. For example, if users wish to use www1.abc.com as the alias for www.abc.com, enter www. TTL TTL (Time To Live) specifies the amount of time CName Record is allowed to cache the record. DName Record Alias Enter the alias of the domain name. For example, if users wish to use www.a.abc.com as the alias of www.abc.com (domain name), enter a in this field. Target Enter the prefix of the domain name. For example, if users wish to use www.a.abc.com as the alias of www.abc.com, enter abc.com" as the prefix. TTL TTL (Time To Live) specifies the amount of time DName Record is allowed to cache the record. MX Record TTL TTL (Time To Live) specifies the amount of time MX Record is allowed to cache the record. Host Name Enter the prefix of the mail servers domain name. For example, if the domain name is mail.abc.com, enter mail. Priority Enter the priority of the mail servers. The higher the priority, the lower the number Mail Server Enter the IP address of the mail server. Table 3.92 The Description of the Fields in Domain Setting AscenLink
User Manual 3-101 Enable Relay Relay means AscenLink will not conduct DNS over inbound requests on itself but relay the requests to other hosts for DNS analysis and transmit the analysis results to client end. Global Setting will hide after Relay is enabled. Domain settings will change as below.
Figure 3.41 Enable Relay in Multihoming Policy Field Description Domain Name Enter the domain names for multihoming. To enter additional domain names, press +. TTL TTL (Time To Live) specifies the amount of time other DNS servers and applications are allowed to cache the record. Name Servers Enter the domain administrators email. A Record Host Name Enter the prefix of the primary workstations name. For example, if the name is www.abc.com, enter www. When Options available are "Busy", "Idle", and "All-Time". Please refer to [System]->[Date/Time] to do the time setting. Source IP The source of the DNS queries. All DNS queries with this source IP will be responsed. To Policy Select the domain setting policy to be used. TTL TTL (Time To Live) specifies the amount of time A Record is allowed to cache the record. Table 3.93 The Description of the Fields in Enable Relay Configuration File This function allows users to Import or Export the configuration files. The files will Chapter 3 Service 3-102 be stored as .ini file. Note: Only Administrator is authorized to perform this function. Example 1: Network Architecture:
Figure 3.42 Multihoming Example 1: Network Architecture In the Intranet, we want to install a web server that is open to the Internet. To do so, we have to configure this web server as a virtual server. The settings in the virtual server table looks like this (Please refer to Section 3.5): WAN IP Server IP Service 211.21.33.186 192.168.0.100 HTTP (80) 61.64.195.150 192.168.0.100 HTTP (80) Table 3.94 Multihoming Example 1: Virtual Server Settings AscenLink
User Manual 3-103 This web server is bound to two WAN ports. Please refer to Chapter 2 [System]->[Networking setting]->[WAN Setting]. The settings for multihoming in this case are illustrated below: Policy Setting Field Value Enable Multihoming Enable (Ticked) Policy Name web Algorithm By Upstream WAN Link 1 IP Address 211.21.33.186 WAN Link 2 Policy Advance Setting IP Address 61.64.195.150 Table 3.95 Multihoming Example 1: Policy Settings Domain Setting Field Value Domain Name xtera-ip.com TTL 30 Responible Mail Abc.xtera-ip.com Primary Name Server ns1 IP Address 192.168.0.10 NS Record Name Server ns1 IP Address 192.168.0.10 A Record Host Name www When All-Time IP Address 192.168.0.100 To Policy web TTL 30 Table 3.96 Multihoming Example 1: Domain Settings Note: 1. The IPs for the DNS servers are not necessarily public IPs. They can be private IPs as well, as long as AscenLink knows where to send DNS queries. In this example, both two DNS servers are placed in DMZ. 2. In this example, we setup multihoming for our virtual server www.xtera-ip.com Chapter 3 Service 3-104 Example 2: Network Architecture:
Figure 3.43 Multihoming Example 2: Network Architecture AscenLink
User Manual 3-105 Before setting up multihoming, users should first configure virtual server. The configuration for the virtual server in this example is illustrated below: WAN IP Server IP Service 211.21.33.186 192.168.0.200 SMTP(25) 61.64.195.150 192.168.0.200 SMTP(25) Table 3.97 Multihoming Example 2: Virtual Server Settings Policy Setting Field Value Enable Multihoming Enable Policy Name mail Algorithm By Weight WAN Link 1 IP Address 211.21.33.186 WAN Link 2 Policy Advance Setting IP Address 61.64.195.150 Table 3.98 Multihoming Example 2: Policy Settings Domain Setting Field Value Domain Name xtera-ip.com TTL 30 Responible Mail abc.xtera-ip.com Primary Name Server ns1 Source IP 192.168.0.10 NS Record Name Server ns1 IP Address 192.168.0.10 A Record Host Name mail When All-TIme Source IP 192.168.0.200 TTL 30 MX Record TTL 30 Host Name Priority 1 Mail Server mail TTL 30 Table 3.99 Multihoming Example 2: Domain Settings Chapter 3 Service 3-106 Note: 1. Please refer to Chapter 2 [System]->[Networking setting]->[WAN Setting] for how to assigned public IPs to WAN ports. 2. In this example, we have completed the multihoming setup for our virtual server mail.xtera-ip.com. AscenLink
User Manual 3-107 3.12 Internal DNS
Figure 3.44 The Location of Service / Internal DNS on the Menu Bar To eliminate the cost and effort of setting up DNS servers, AscenLink has a built-in DNS server function which can be activated by completing the fields in this page. Global Setting Field Value Enable InternalDNS Turn on/off internal DNS server. PTR Record TTL Set DNS query response time. IP Address Enter the reverse loopup IP address Host Name Enter the corresponding FQDN to the reverse IP. Table 3.100 The Description of the Fields in Global Setting Chapter 3 Service 3-108 Domain Settings Field Description Domain Name Enter the domain names for multihoming. To enter additional domain names, press +. TTL Assign DNS query response time Responible Mail Enter the domain administrators email. Primary NameServer Enter the primary server name. IP Address Enter the IP address of the primary server. NS Record Name Server Enter the prefix of the server name. For example, if a servers FQDN is nsl.abc.com, please enter nsl. IP Address Enter the IP address corresponding to the name server. A Record Host Name Enter the prefix of the primary workstations name. For example, if the name is www.abc.com, enter www. IP Address Enter the IP address of the primary workstation. To Policy Select the policy to be used. CName Record Alias Enter the alias of the domain name. For example, if users wish to use www1.abc.com as the alias of www.abc.com, (domain name), enter www1 in this field. Target Enter the real domain name. For example, if users wish to use www1.abc.com as the alias for www.abc.com, enter www. MX Record Host Name Enter the prefix of the mail servers domain name. For example, if the domain name is mail.abc.com, enter mail. Priority Enter the priority of the mail servers. The lower the number, the higher the priority. Mail Server Enter the IP address of the mail server. Table 3.101 The Description of the Fields in Domain Setting AscenLink
User Manual 3-109 3.13 SNMP
Figure 3.45 The Location of Service / SNMPon the Menu Bar SNMP (Simple Network Management Protocol) can be used to manage networks by providing statistical data regarding network performance and security. It is often used in the management of TCP/IP networks. AscenLink supports SNMP v1 to v3 protocols. SNMP v1/2 Field Value Description Community Enter the community which the SNMP belongs to. System Name Fill in a string to represent this system. System Contact Fill in a string to represent a person in charge of this system. System Location Fill in a string to represent the location of this system. Table 3.102 The Description of the Fields in SNMP V1/2 Chapter 3 Service 3-110 SNMP v3 Field Value Description Community Enter the community which the SNMP belongs to. System Name Fill in a string to represent this system. System Contact Fill in a string to represent a person in charge of this system. System Location Fill in a string to represent the location of this system. Username Enter user name usd for authentication. Password Enter the password used for authentication. Privacy Key Enter the privacy key code. Eg: 12345678 ABCDEFGHUI.etc. AuthProtocol MD5 SHA Select the authentication protocol used when transferring the authenticated password, either MD5 or SHA. PrivProtocol DES Select the authentication protocol used when transferring the authenticated privacy key. Authentication Auth No Priv Auth with Priv Select the authentication method for user and privacy key, either authentication with privacy or authentication with no privacy. Table 3.103 The Description of the Fields in SNMP V3 AscenLink
User Manual 3-111 3.14 IP-MAC Mapping
Figure 3.46 The Location of Service / IP-MAC MAPPING on the Menu Bar Users can specify the IP-MAC table based on different time periods such as Busy-hour and Idle-hour. When the IP-MAC table is set, a packet sent from an IP address will only pass through AscenLink if its MAC address (also) matches the one listed in the table. Field Value Description E Enable/Disable When Busy. Idle All-Time Select the time period: busy hour, idle hour and all times. All time periods are sepcified using a 24hour system. For details regarding busy and idle hours, refer to chapter 2, [System]->[Busyhour Setting] configurations. IP Address Enter the IP address of the network interface card. MAC Address Enter the MAC address of the network interface card. L Enable Disable When this box is checked, it means the rule is activated and the result will be recorded in a log file. If the box is not checked, the rule is not activated and data will not be stored in a log file. Table 3.104 The Description of the Fields in IP-MAC MAPPING AscenLink User Manual 4-1 Table of Content Chapter 4 Statistics.......................................................................................................4-4 4.1 Traffic.......................................................................................................................4-5 4.2 BM...........................................................................................................................4-7 4.3 Persistent Routing...................................................................................................4-9 4.4 WAN Link Health Detection................................................................................... 4-11 4.5 Dymatic IP WAN Link............................................................................................4-13 4.6 DHCP Lease Info...................................................................................................4-15 4.7 RIP & OSPF Status................................................................................................4-17 4.8 Tunnel Status.........................................................................................................4-19 4.9 Tunnel Traffic.........................................................................................................4-21 4.10 Connection Limit..................................................................................................4-22 4.11 Port Information...................................................................................................4-24 4.12 Virtual Server Status............................................................................................4-25 Chapter 4 Statistics 4-2 Figure Figure 4.1 Statistics................................................................................................... 4-4 Figure 4.2 Statistics/Traffic........................................................................................ 4-5 Figure 4.3 Statistics/BM............................................................................................ 4-7 Figure 4.4 Statistics/Persistent Routing.................................................................... 4-9 Figure 4.5 Statistics/WAN Link Health Detection.....................................................4-11 Figure 4.6 Statistics/Dynamic IP WAN Link............................................................ 4-13 Figure 4.7 Statistics/DHCP Lease Info.................................................................. 4-15 Figure 4.8 Statistics/RIP & OSPF Status ................................................................ 4-17 Figure 4.9 Statistics/Tunnel Status.......................................................................... 4-19 Figure 4.10 Statistics/Tunnel Traffic.......................................................................... 4-21 Figure 4.11 Statistics/Connection Limit..................................................................... 4-22 Figure 4.12 Statistics/Port Information...................................................................... 4-24 Figure 4.13 Statistics/Virtual Server Status............................................................... 4-25 AscenLink User Manual 4-3 Table Table 4.1 Statistics/Traffic Field and Description.....................................................4-6 Table 4.2 Statistics/BM Field and Description..........................................................4-8 Table 4.3 Statistics/Persistent RoutingField and Description.................................4-10 Table 4.4 Statistics/WAN Link Health Detection Field and Description.................4-12 Table 4.5 Statistics/Dymatic IP WAN Link Field and Description...........................4-14 Table 4.6 Statistics/DHCP Lease InfoField and Description..................................4-16 Table 4.7 Statistics/RIP Status Field and Description............................................4-18 Table 4.8 Statistics/Tunnel Status Field and Description.......................................4-20 Table 4.9 Statistics/Tunnel Traffic Field and Description.......................................4-21 Table 4.10 Statistics/Connection Limit Field and Description..................................4-23 Table 4.11 Statistics/Port Information Field and Description...................................4-24 Table 4.12 Statistics/Virtual Server Status Field and Description............................4-26 Chapter 4 Statistics 4-4 Chapter 4 Statistics In this chapter, users will learn how to use information to monitor network status based on each traffic class, bandwidth, and dynamic IP WAN link in real-time through the statistics provided by AscenLink. The information shown on the statistics pages enables the administrator to get a full understanding of the network status. It also becomes useful when users want to find out the cause for a failed link or an unexpected situation. These statistics will save the user a lot of time and efforts in problem solving.
Figure 4.1 Statistics AscenLink User Manual 4-5 4.1 Traffic In the traffic statistics page, it can help the user inspect real-time traffic information sorted by the traffic class over each WAN link. The statistics of traffic classes in the table is adjusted accordingly by the selection of the traffic type - either inbound or outbound.
Figure 4.2 Statistics/Traffic In the table, users can see three kinds of statistics regarding each traffic class: 1. Maximum/Minimum bandwidth allocation and priority 2. Traffic statistics for the last 3 seconds 3. Traffic statistics for the last 1 minute Chapter 4 Statistics 4-6 The statistics are analyzed by each one WAN connection and the direction of the traffic flows. To change the statistics users wish to see, select the direction of traffic flow - Inbound or Outbound from Traffic Type, and the index number of WAN Link users wish to inspect. Field Value(s) Description Traffic Type Inbound Outbound The direction of traffic flow either inbound traffic or outbound traffic WAN Link 1, 2... The number of WAN links users want to inspect Automatic Refresh
Every 3 Seconds Every 6 Seconds Seconds... Time interval for refreshing the statistics table Traffic Class - The name of the traffic class defined on the Inbound/Outbound BM page. The rest of unclassified information is labelled as Default Class. Min. ~Max.(Priority) Kbps ~Kbps The maximun/minimum traffic volume allowed for a specific traffic class and its priority. 3-Second Statistics
Packets, Kbps
It displays the number of the packets or the volume of traffic flows in Kilobyte/sec for the last 3 seconds. 1-Minute Statistics
Packets, Kbps
It displays the number of the packets or the volume of traffic flows in Kilobyte/sec for the last 1 minute. Top 10 By selecting show button, the data flow for the next five seconds will be gathered, along with the corresponding IP address. The statistics can be ranked by the following categories: By Connection, By Source, By Destination, and By Service. Table 4.1 Statistics/Traffic Field and Description AscenLink User Manual 4-7 4.2 BM The traffic statistics obtained on the previous item focus more on the real-time monitoring of network status. However, the statistics shown on the BM page is intended for long-term analysis. The network administrator can view bandwidth usage shown in bar graphs for a specific traffic class of a given traffic direction over a WAN link. The user may see the result reflecting the bandwidth usage in past one hour, day, month, or year.
Figure 4.3 Statistics/BM Field Value Description Traffic Type
Inbound Outbound The direction of traffic flow either inbound traffic or outbound traffic Traffic Class
Either the name of the traffic class defined on the Inbound/Outbound BM page, or the sum of all traffic classes. WAN Link 1, 2... The number of WAN links users wish to inspect Chapter 4 Statistics 4-8 Table 4.2 Statistics/BM Field and Description AscenLink User Manual 4-9 4.3 Persistent Routing The information concerning the status of persistent routing is shown on this page. Instead of only viewing all the connections via persistent routing, the administrators can also manually reset these connections.
Figure 4.4 Statistics/Persistent Routing Chapter 4 Statistics 4-10 Field Value Description Clear All - Clear all the connections via persistent routing. Automatic Refresh Every 3 Seconds Every 6 Seconds Seconds... Time interval for refreshing information about persistent routing Source IP - Source IP of the current persistent routing connection Destination IP - Destination IP of the current persistent routing connection Count - The number of the connections that the current persistent routing rule applies Timeout - The length of time that needs to elapse before the current connection times out WAN - The WAN link through which the current persistent routing connection travels Table 4.3 Statistics/Persistent RoutingField and Description AscenLink User Manual 4-11 4.4 WAN Link Health Detection This page shows the results of WAN link health detection. The statistics on this page indicates the reliability of a specific WAN connection. The ping results are based on the destination IP list setup on [System] ->[WAN Link Health Detection] page. In the table, administrators can observe the number of the requests sent, number of responses received, and the success ratio for a given destination. These statistics can assist administrators to further analyze the network status and behavior.
Figure 4.5 Statistics/WAN Link Health Detection Chapter 4 Statistics 4-12 Field Value Description WAN Link <WAN Link #> The WAN link users wish to monitor Automatic Refresh Every 3 Seconds Every 6 Seconds Seconds... Time interval for refreshing the result table Destination IP - The destination IP address to which the ping requests will be sent Number of Requests - The number of requests sent to the destination IP so far Number of Replies - The number of ICMP responses received from the destination in the WAN so far Success Ratio (%) - The percentage of the number of responses divided by the number of the requests. A higher ratio means a more reliable WAN link. Table 4.4 Statistics/WAN Link Health Detection Field and Description AscenLink User Manual 4-13 4.5 Dymatic IP WAN Link This page contains information about dynamic IP WAN links. It shows the WAN links during their IP addresses through PPPoE or DHCP. The network administrator can also get new IPs by re-establishing connections to the WAN from this page.
Figure 4.6 Statistics/Dynamic IP WAN Link Chapter 4 Statistics 4-14 Field Value Description WAN - How a WAN is connected: either PPPoE or DHCP Automatic Refresh Disabled Every 10 Seconds Every 30 Seconds Seconds... Time interval for refreshing the result table IP Address - IP allocated for the current WAN link Gateway - Gateways IP address for the current WAN link Netmask - Sub-network mask Reconnect - Reconnect a WAN link through PPPoE or DHCP Re-Connect All - Reconnect all WAN links through PPPoE or DHCP Table 4.5 Statistics/Dymatic IP WAN Link Field and Description AscenLink User Manual 4-15 4.6 DHCP Lease Information This page shows information regarding data assigned through a DHCP lease, such as lease IP address and its corresponding MAC address, client-hostname, and expiration time. By selecting the DHCP server, a list of all current DHCP servers in the network will be displayed. The option Automatic Refresh sets the time interval in which the list of DHCP servers regularly updated.
Figure 4.7 Statistics/DHCP Lease Information Chapter 4 Statistics 4-16 Field Value Description DHCP Server <WAN Link #> Displays the DHCP server and range of IP addresses which can be assigned Automatic Refresh Disabled Every 10 Seconds Every 30 Seconds... The time interval after which the list of client-hostname is updated. Lease IP - Shows the IP address assigned to the client machine MAC Address - Shows the MAC address of the client machine Client-Hostname - Shows the name of the client machine Expiration Time - Shows the time period during which the IP address is valid Table 4.6 Statistics/DHCP Lease InfoField and Description AscenLink User Manual 4-17 4.7 RIP & OSPF Status This page shows the RIP status on the basis of RIP and OSPF setting in the [System] ->[Network Setting] ->[LAN Private Subnet] page. MIS personnel can inspect the private subnets Network IP, Netmask, and gateway list. Users can select from the Automatic Refresh menu to enable or disable the automatic refresh.
Figure 4.8 Statistics/RIP & OSPF Status Field Value Description Type RIP OSPF Select from the drop-down list to view the RIP or OSPF routing. Automatic Refresh Disabled Every 10 Seconds Every 30 Seconds ... Select the desired auto-refresh interval, or disable it Chapter 4 Statistics 4-18 Network IP - Display the Network IP of the private subnet Netmask - Display the Netmask of the private subnet Gateway - Display the Gateway of the private subnet Table 4.7 Statistics/RIP Status Field and Description
AscenLink User Manual 4-19 4.8 Tunnel Status This page shows the tunnel status from the setting in the page of [Service] -> [Tunnel Routing]. Administrators can monitor the health condition of each tunnel and select groups from 3-Second Statistics, 1-Minute Statistics, Status, etc.. Administrators can select Automatic Refresh pull-down menu to enable/disable the function while choosing a suitable time interval of the automatic refresh.
Figure 4.9 Statistics/Tunnel Status Chapter 4 Statistics 4-20 Field Value Description Tunnel Group - Select the tunnel group from the drop-down menu as users want. Automatic Refresh Disabled Every 10 Seconds Every 30 Seconds ... Select the desired auto-refresh interval, or disable it Tunnel Status - OK Failed Tunnel - Displays all tunnels in the selected tunnel group 3-Second Statistics Kbps Displays the statistics information for the last 3 seconds 1-Minute Statistics Kbps Displays the statistics information for the last one minute Status - Displays the status of the tunnel Table 4.8 Statistics/Tunnel Status Field and Description AscenLink User Manual 4-21 4.9 Tunnel Traffic It collects inbound/outbound traffic statistics of tunnel routing groups in 60 minutes, 24 hours, and 30 days. All the statistics are displayed on the chart.
Figure 4.10 Statistics/Tunnel Traffic Field Value Description Traffic Type Outbound Inbound Traffic flow direction. Time 60 Mins 24 Hours 30 Days Collect statistics in 60 minutes, 24 hours, and 30 days. Tunnel Routing Group <Group Name> Select one group from drop-down list. Suppose the group happens to get N tunnels, N statistical charts will show below. Table 4.9 Statistics/Tunnel Traffic Field and Description Chapter 4 Statistics 4-22 4.10 Connection Limit In this page, administrators can inspect the number of connections established in real-time to justify the maximum connection number allowed in [Service] -> [Connection Limit] page accordingly to avoid network congestion.
Figure 4.11 Statistics/Connection Limit Field Value Description Automatic Refresh Disabled Every 10 Seconds Every 30 Seconds ... Select the desired auto-refresh interval, or disable it No. 1, 2, 3... Numbering of IP addresses based on the number of connections established. IP <IP Address> Display the source IP of the connection Connections 1, 2, 3... Display the number of connections established AscenLink User Manual 4-23 Table 4.10 Statistics/Connection Limit Field and Description
Chapter 4 Statistics 4-24 4.11 Port Information This page is used to display detailed information of each AscenLink port.
Figure 4.12 Statistics/Port Information Field Value Description Automatic Refresh Disabled Every 3 Seconds Every 6 Seconds ... Select the desired auto-refresh interval, or disable it Port 1,2,3 Display every port on AscenLink RX/TX <number> Display information including Errors, Dropped, Overruns, Frame (RX), Carrier (TX), and Collisions Collisions <number> Display the number of collisions Table 4.11 Statistics/Port Information Field and Description AscenLink User Manual 4-25 4.12 Virtual Server Status This page displays statistics of detect status of virtual servers defined on Service/Virtual Server.
Figure 4.13 Statistics/Virtual Server Status Field Value Description Automatic Refresh Disabled Every 10 Seconds Every 30 Second Select interval from drop-down list to refresh statistical table. By default, Automatic Refresh is disabled. Virtual Server Status OK Failed OK Failed WAN IP -<IP Address> Displays WAN IPs defined in the rules on Service/Virtual Server page. Service <Service Name> Displays services defined in the rules on Service/Virtual Server page. The services are those available for virtual servers. Chapter 4 Statistics 4-26 Server IP <IP Address> Displays server IPs defined in the rules on Service/Virtual Server page.The server IPs denote those in real network usages. Detect TCP ICMP Displays detect methods. Status OK Failed Displays the detect result. Table 4.12 Statistics/Virtual Server Status Field and Description
AscenLink User Manual 5-1 Table of Content Chapter 5 Log...............................................................................................................5-4 5.1 View......................................................................................................................5-5 5.2 Control...................................................................................................................5-7 5.3 Notification..........................................................................................................5-10 5.4 Link Report..........................................................................................................5-12 Chapter 5 Log 5-2 Figure Figure 5.1 The Location of Log and its Function on the Menu Bar..................... 5-4 Figure 5.2 The Location of Log/View Page Menu Bar........................................ 5-5 Figure 5.3 The Location of Log/Control Page on the Menu Bar......................... 5-7 Figure 5.4 The Location of Log/Notification Page on the Menu Bar................. 5-10 Figure 5.5 Notification Setting.......................................................................... 5-11 Figure 5.6 The Location of Log/LinkReport Page on the Menu Bar................. 5-12 Figure 5.7 LinkReport Fields............................................................................ 5-13 AscenLink User Manual 5-3 Table Table 5.1 The Description of the Fields on Log/View Page. ..............................5-6 Table 5.2 The Description of the Fields on Log/Control Page...........................5-8 Table 5.3 Method: FTP......................................................................................5-9 Table 5.4 Method: E-mai ...................................................................................5-9 Table 5.5 Notification and its Function.............................................................5-11 Table 5.6 SNMP Trap Setting..........................................................................5-11 Table 5.7 Event Types to Notify.......................................................................5-11 Table 5.8 The Description of the Fields on LinkReport Page...........................5-13 Table 5.9 The Description of Events................................................................5-13 Chapter 5 Log 5-4 Chapter 5 Log In this Chapter, you can control AscenLinks logging activities with respect to various functions such as the System, Firewall, Routing, BM, etc. Administrators can also either set up the log transmission methods to another server for purposes of archiving and further analysis, or to control the event notifications settings via emails. In addition to the log pushing and email notifications features, Xtera also offers a companion poweful reporting and analysis tool---LinkReport. It is a web-based analysis tool running on an independent machine enabling administrators to gain insights on network traffic without manually filtering through large volumes of log data.
Figure 5.1 The Location of Log and its Function on the Menu Bar AscenLink User Manual 5-5 5.1 View In the sub-menu View, AscenLink provides 13 types of compehensive log records (see the table below). Administrators can pick the desired log type, and the corresponding events for that type will be displayed on the windows below. Click the Refresh button to get a copy of the latest log. Please be aware that this page is for online view of current events. For log data pushing and archiving, see the Control sub-menu in next section. Control Notification View LinkReport System Service Statistics Log Language
Figure 5.2 The Location of Log/View Page Menu Bar Chapter 5 Log 5-6 Field Value Description Log Type
System Log Firewall Log NAT Log Auto & Persistent Routing Log Virtual Server Log BM Log Connection Limit Log Cache Redirect Log Multihoming Log Backup Line Log Dynamic IP Log IP-MAC Mapping Log Tunnel Routing Log You can pick the log type of your preferred events to be shown in the log viewing window. Recent Event - Event log listed by order of timestamp Refresh - Refresh to get the latest event log Table 5.1 The Description of the Fields on Log/View Page. AscenLink User Manual 5-7 5.2 Control With this sub-menu, you can set up how to transmit log data to other servers (from AscenLink) for archiving and further analyses. Transmission methods include FTP and E-mail; and each log type can have its own transmission method setting. If individual log type setting is too complex, you can just use the Copy Setting to All Other Log Types button to duplicate the setting across all log types.
Figure 5.3 The Location of Log/Control Page on the Menu Bar Chapter 5 Log 5-8 Field Value Description Log Type
System Log Firewall Log NAT Log Auto & Persistent Routing Log Virtual Server Log BM Log Connection Limit Log Cache Redirect Log Multihome Log Backup Line Log Dynamic IP Log IP-MAC Mapping Log Select the type of log file to be sent. Copy Settings to All Other Log Types
- Copy the setting for the current log type to all log types Method E-Mail FTP See below Note <Note > For your own reference Push Now
Use this button to get immediate log pushing Push Log When Out of Space
Enable Disable Check Enable to avoid loss of log data due to out of space Enable Scheduled Push Turn on scheduled push Initial Time
<Year/Month/Day/Hour/Minute/Second> Start time for the scheduled push Period <Day/Hour/Minute> Scheduled push duration Table 5.2 The Description of the Fields on Log/Control Page AscenLink User Manual 5-9 Method AscenLink offers two types of log transmission: FTP out to an external FTP server, Emails via SMTP to the administrators mailbox. 1. FTP Field Value Description Server <IP>or <Domain Name> FTP Servers IP or domain name Account <FTP Account> FTP user account Password <Accounts Password> FTP user password Path <Path> FTP server path Table 5.3 Method: FTP 2. E-mail Field Value Description SMTP Server <IP>or <Domain Name> SMTP server for the log Account <SMTP Account> Authenticated account for the mail server Password <Accounts Password> Authenticated password for the mail server Mail From <e-Mail address> Sender Mail To <e-Mail address> Receiver(s). Seperate receivers with , or .. Table 5.4 Method: E-mai Chapter 5 Log 5-10 5.3 Notification This sub-menu sets up how email notifications are sent out for important system events. The setup is similar to previous sections email account settings. Press the Send Test E-Mail Now button to test if the setting is operational.
Figure 5.4 The Location of Log/Notification Page on the Menu Bar As illustrated in the sample page below, there are three steps for the configuration:
AscenLink User Manual 5-11 Figure 5.5 Notification Setting 1. E-Mail Settings The table below summarizes the event notification mail setup. Field Description SMTP Server SMTP Server Account Authenticated account for the mail server Password Authenticated password forthe mail server Mail From Sender Mail To Receiver(s). Seperate receivers with , or .. Send Test E-mail Now Click the button for immediate test. Table 5.5 Notification and its Function 2. SNMP Trap Settings Event notification can also be sent via SNMP traps. Notice you need an SNMP managing device to receive the AscenLink SNMP traps. Field Value Description Destination IP <IP Address> The SNMP managing device IP Community Name <Community Name> Community name Table 5.6 SNMP Trap Setting 3. Event Types to Notify Field Value Description Event Types to Notify Hardware failure and recovery Link failure and recovery Service failure and recovery Administrator password change HA slave failure and recovery HA takeover Select (multiple OK) the events to be notified. Select All - Clear All - Table 5.7 Event Types to Notify Chapter 5 Log 5-12 5.4 Link Report This section controls how the AscenLink log communicates with the LinkReport server. The original log file produced by AscenLink contains raw information which is yet to be analyzed. LinkReport can organize this information into readable statistics, so that the administrator can easily manage the network. First, the administrator needs to create a connection to be used for log files to be sent to a computer where LinkReport is installed. Analysis of the log files will be performed on this computer, instead of the Web UI.
Figure 5.6 The Location of Log/LinkReport Page on the Menu Bar The setup is simple, as illustrated in the figure below: AscenLink User Manual 5-13
Figure 5.7 LinkReport Fields Field explained: Field Description Enable Link Report Enable log pushing to specific LinkReport Server. Recipient IP Address The IP address of the LinkReport server receiving the log data from AscenLink Table 5.8 The Description of the Fields on LinkReport Page The description of Events Table: Field Value Description Events
Firewall Virtual Server Bandwidth Usage Connection Limit Multihoming Tunnel Routing Select the log type that you want AscenLink to send to LinkReport Table 5.9 The Description of Events AscenLink User Manual 6-1 Table of Content Chapter 6 Deployment Scenarios ..............................................................................6-3 6.1 Various WAN Types and Scenarios.........................................................................6-3 6.1.1 WAN Type: Bridge Mode with One Static IP...................................................6-3 6.1.2 WAN Type: Routing Mode...............................................................................6-7 6.2 Exploring Auto Routing..........................................................................................6-17 6.2.1 Advantages of Auto Routing..........................................................................6-18 6.2.2 AscenLink Fault Tolerance Mechanism.........................................................6-20 6.2.3 Persistent Routing and Auto Routing............................................................6-23 6.3 Various Auto Routing Mechanisms........................................................................6-24 6.4 Virtual Server .........................................................................................................6-26 6.5 Multihoming ...........................................................................................................6-27 6.6 Introduction to DNS...............................................................................................6-30 6.7 High Availability (HA) Scenarios............................................................................6-34 6.7.1 Firmware Update Procedure in HA Deployment ...........................................6-34 6.7.2 HA Fallback to Single Unit Deployment ........................................................6-36 Chapter 6 Deployment Scenarios 6-2 Figure Figure 6.1 Bridge Mode: One Static IP....................................................................... 6-4 Figure 6.2 WAN Type: Routing Mode......................................................................... 6-7 Figure 6.3 Private Subnet Between WAN Router and AscenLink............................ 6-10 Figure 6.4 Multiple WAN Links in Routing Mode...................................................... 6-13 Figure 6.5 By-pass a Broken Link Manually............................................................. 6-19 Figure 6.6 By-pass a Broken Link using Auto Routing............................................. 6-20 Figure 6.7 Switch to Fail-over Policy on Fixed Routing Policy................................. 6-21 Figure 6.8 Typical Connections in a Multihoming Environment ............................... 6-27 Figure 6.9 Multihoming Example.............................................................................. 6-33 AscenLink User Manual 6-3 Chapter 6 Deployment Scenarios 6.1 Various WAN Types and Scenarios This Section provides various WAN types and network scenarios and explains how AscenLink can be easily integrated into any existing networks. You can get familiar with the AscenLink deployment concepts and get familiar with the actual Web UI configuration. As it is illustrated in these scenarios, you will find AscenLink to be an excellent fit in any networks. 6.1.1 WAN Type: Bridge Mode with One Static IP One Static IP is a simple WAN network scenario, defined as the case where the ISP will only provide one public static (fixed) IP for the WAN link. Note: ISP often times provides ATU-R, the so-called ADSL Modems with bridge model. Chapter 6 Deployment Scenarios 6-4 One Static IPs network topology is: ISP Internet DSLAM 211.100.3.254/24 ATU-R (Bridge Mode) Port 1 Port 2 AscenLink LAN/DMZ 211.100.3.35/24 Client Side
Figure 6.1 Bridge Mode: One Static IP Sample configuration as follows: In this example we assume WAN port 1 is connected to the bridge-mode ATU-R. ISP network settings are: ISP provides one ATU-R with bridge mode setup, the assigned public IP is 211.100.3.35, gateway is 211.100.3.254, netmask is 255.255.255.0. AscenLink User Manual 6-5 Hardware configuration: Please refer to the ATU-R User manual provided by your ISP to connect the ATU-R to AscenLinks WAN #1. Note: AscenLink is treated as a normal PC when connecting the other networking equipments. WAN configuration: Get into the AscenLink Web-based UI. Go to [System] [Network Setting] [WAN setting]. In the WAN LINK pull-down menu, select 1, and pick Enable in the Basic Setting. In the WAN type pull-down menu, select [Bridge Mode: One static IP]. Put in the up/down stream bandwidth associated with this WAN link. If the ADSL Line you have on WAN1 is 512/64, for example, then put in [64] and [512] in the Up Stream and Down Stream fields respectively. Note: The up/down stream values you put in will ONLY affect the BM and statistics reporting. You will NOT get a bigger pipe by putting in values greater than the actual bandwidth Put [255.255.255.0] in the Net Localhost field. Put [255.255.255.0] in the Net Mask field. Put [211.100.3.254] in the Gateway IP field. Select [Port 1] in the WAN Port field. Complete the bridge mode configuration. Chapter 6 Deployment Scenarios 6-6 If the configuration above is correctly set, in the [System] [ Summary] page you will see a Green status color on the WAN Link State for WAN Link #1. Virtual Server Configuration: Assume we have an SMTP server with IP as 192.168.1.1 provide SMTP services to the outside via the virtual server mechanism, AscenLink will perform NAT on this machine so that the outside clients can get SMTP services via the AscenLink public IP on WAN1. The configuration steps to achieve such a goal are in the [Service] [Virtual Server] page. Select [+] to create a new rule. Select [E] to enable this rule. Select [All-Time] in the When field. Put [211.100.3.35] in the WAN IP field. Put [192.168.1.1] in the Server IP field. Select [SMTP(25)] in the Service field. Selection of the L field is optional. (If an Administrator wishes to log Virtual Server activities, please select L). Configuration complete. Administrators can set up different types of services inside the LAN and expose these services to the outside world via the Virtual Server. Once the configuration is done (as shown in the previous example), services can then be made public. This improves overall flexibility and manageability. AscenLink User Manual 6-7 6.1.2 WAN Type: Routing Mode Routing Mode Configuration Example 1 This is a typical example where ISP provides a network segment (a class C segment for example) to the user. Under such a condition, AscenLink itself will take up one or more IP addresses, while the rest of the public IP addresses (from the assigned segment) will be under DMZ. Servers with public IP addresses can be deployed two places in the network (as illustrated in the figure below) 1. Between the ATU-R and AscenLink, i.e., behind the ATU-R but in front AscenLink
or 2. Inside the AscenLink DMZ segment.
Figure 6.2 WAN Type: Routing Mode Chapter 6 Deployment Scenarios 6-8 Configuration Example: In this example, we assume the router is connected to the AscenLinks WAN port #1. Network Info from ISP: Client side IP segment is 211.102.30.0/24, Gateway (i.e. the IP for the router) is 211.102.30.254, while the netmask is 255.255.255.0. We further assume AscenLink IP is 211.102.30.253. Servers in between ATU-R and AscenLink occupy IP ranges between 211.102.30.70-100.102.30.99. WAN port is on port #1. DMZ port is on port #2. ISP supplies the router. Hardware Configuration Connect the router with AscenLink in WAN1 by referring to routers user manual. Note: AscenLink is viewed as a normal PC when connected to a network equipment. Configuration Steps Log into the AscenLink Web UI. Go to [System] [Network Setting] [WAN setting]. Under the WAN Link function menu, select 1 and select Enable in the Basic Setting field. AscenLink User Manual 6-9 In the WAN Type pull-down menu, select [Routing Mode]. Put in the corresponding up/down stream bandwidth. For example, if you have 512/64K type of ADSL, then put [64] and [512] in the Up Stream and Down Stream parameter fields respectively. Note: The Up and Down Stream parameters will not affect the physical bandwidth provided by the ISP. It will only affect the BM and Statistic function pages. Set the gateway to 211.21.30.254. Set WAN port to port #1. Since WAN and DMZ each has its own subnet, therefore in the Basic Subnet section you should select the Subnet Type as Subnet in WAN and DMZ, as follows: For IP(s) in Localhost field, put in [211.102.30.253]. For the IP(s) in WAN field, put in [211.102.30.70-211.102.30.99]. In the Netmask field, put in [255.255.255.0]. In the DMZ Port field, put in [Port 2]. Configuration complete. Note: This example shows all addresses are in DMZ (211.102.30.1-211.102.30.69,211.102.30.100-211.102.30.252), except those specified in the IP(s) in WAN field. Chapter 6 Deployment Scenarios 6-10 Routing Mode Configuration Example 2 This example shows the scenario where there is a private subnet between the WAN router and AscenLink . In addition, the public IP subnet inside the AscenLink DMZ port requires a router.
Figure 6.3 Private Subnet Between WAN Router and AscenLink Internet ISP 1 AscenLink 192.168.0.254 Router 192.168.0.253 DMZ 3 211.20.104.0 211.20.103.254 211.20.103.253
AscenLink User Manual 6-11 Sample Configuration: Assume the private IP subnet (192.168.0.0/24) is between the WAN link router and AscenLink WAN port. AscenLinks port 1 IP (192.168.0.253) is connected to the WAN link router (192.168.0.254). AscenLinks Port 3 is DMZ with a public IP subnet (211.20.103.254/24). The LAN part behind AscenLink has another public IP subnet (211.20.104.0/24 behind a router (211.20.103.253). Configuration Steps: From AscenLinks UI, go to [System] [Network Setting] [WAN setting] sub-function. Select 1 on the WAN Link pull-down menu and select the checkbox in the Enable field. Enter the corresponding up and down stream bandwidths. In the Default Gateway field, put in [192.168.0.254]. In the WAN Port field, put in [Port 1]. In the Basic Subnet function, pick + to create a new rule, and select subnet in DMZ] in the Subnet Type field. In the IP(s) in Localhost field, put in 211.20.103.254 In the Netmask field, put in [255.255.255.0]. In the DMZ Port field, put in [Port 3]. In the static routing subnet field, use [+] to add a new rule with Subnet Type Chapter 6 Deployment Scenarios 6-12 as subnet in DMZ. In this example, there is a router in the DMZ port for the public IP subnet and the subnet does not connect to the AscenLink directly. Therefore the subnet info should be filled in the static routing subnet field. In the Network IP field, put in [211.20.104.0]. In the Netmask field, put in [255.255.255.0]. In the gateway IP field, put in [211.20.103.253]. Go to [WAN/DMZ private subnet] sub-function page and select [+] in the Basic Subnet field to add a new rule, with the following Set the Subnet Type as subnet in WAN. In the IP(s) in Localhost field, put in [192.168.0.253]. In the Netmask field, put in [255.255.255.0]. In the WAN Port field, select [Port 1]. Configuration complete. AscenLink User Manual 6-13 Routing Mode Configuration Example 3 In this example the deployment scenario is that both WAN links have their own routers and AscenLink is connected to these two routers using private IP addresses, as illustrated in the figure below. In addition, AscenLink Port 3 is assigned another private IP connecting to the LAN Core Switch (L3 switch), therefore there is a public IP subnet connected behind the Core Switch inside the LAN.
Figure 6.4 Multiple WAN Links in Routing Mode Chapter 6 Deployment Scenarios 6-14 Configuration Example: AscenLink Port 1 (192.168.0.253) is connected to WAN1s router (192.168.0.254/24). AscenLink Port 2 (192.168.1.253) is connected to WAN2s router (192.168.1.254/24). AscenLink Port 3 (192.168.2.253) is connected to the LAN Core Switch (192.168.2.254/24). WAN1s Public IP subnet is placed behind the Core Switch as (211.70.3.0/24). WAN2s Public IP subnet is also placed behind the Core Switch as (53.244.43.0/24). Configuration Steps: Go to AscenLink Web UI. Go to [System] [Network Setting] [WAN setting] management page. Select (1) in the WAN Link pull down menu. Click Enable to activate the WAN link. Select [Routing Mode] in the WAN Type pull down menu. Enter the corresponding up/down-stream bandwidth. In the Default Gateway IP field, put in [192.168.0.254]. Select [Port 1] in the WAN Port field. In the static routing subnet field, use [+] to add a new rule with Subnet Type as subnet in DMZ. In this example, there is a Core Switch in the DMZ port for AscenLink User Manual 6-15 the public IP subnet and the subnet does not connect to the AscenLink directly. Therefore the subnet info should be filled in the static routing subnet field. In the Network IP field, put in [211.70.3.0]. In the Netmask field, put in [255.255.255.0]. In the gateway IP field, put in [192.168.2.253]. In the WAN Link pull down menu, select 2 to switch to WAN2. Click on Basic Setting to enable the WAN link. In the WAN type pull down menu, select [Routing Mode]. Enter the corresponding up and down stream bandwidth parameters. In the Default gateway IP field, put in [192.168.1.254]. In the WAN Port field select [Port 2]. In the static routing subnet field, click on [+] to add a new rule with the Subnet Type field as subnet in DMZ. In the Network IP field, put in [53.244.43.0]. In the Netmask field, put in [255.255.255.0]. In the Gateway IP field, put in [192.168.2.253]. Enter the [WAN/DMZ Private Subnet] Management Page We need to put, in the WAN and DMZ port, all three subnets as follows: In the basic subnet field, click [+] to add a new rule with 192.168.0.0/24 as the IP, and subnet in WAN value in the Subnet Type field. Chapter 6 Deployment Scenarios 6-16 In the IP(s) on Localhost field, put in [192.168.0.253]. In the Netmask field, put in [255.255.255.0]. In the WAN port field, select [Port 1]. WAN Port 1 setting is done, now we move on to WAN Port 2: In the basic subnet field, pick [+] to add a new rule, with 192.168.1.0/24 as the subnet IP addresses, and select subnet in WAN as the Subnet Type. In the IP(s) on Localhost field, put in [192.168.1.253]. In the Netmask field, put in [255.255.255.0]. In the WAN port field, select [Port 2]. The WAN Port2 setting is complete, and proceed on to the DMZ port: In the basic subnet field, pick [+] to add a new rule. Select subnet in DMZ as the value of the Subnet Type field. In the IP(s) on Localhost field, put in [192.168.2.253]. In the Netmask field, put in [255.255.255.0]. In the DMZ Port field, select [Port3]. Configuration complete. The example above illustrates a very common and powerful AscenLink deployment scenario where a private IP subnet is placed inside a WAN and DMZ and a public IP subnet is connected to AscenLink DMZ via a Core Switch. AscenLink User Manual 6-17 6.2 Exploring Auto Routing Auto Routing Auto Routing is a mechanism for load balancing for outbound traffic, i.e., traffic originating from the LAN side. Multihoming, on the other hand, covers the traffic originating from the WAN side inbound into the LAN. WAN Link Fault Tolerance With the rapid proliferation and decreasing prices of broadband solutions, more and more business large and small are opting for the use of multiple WAN links from different ISPs. The benefits of such are: With multiple WAN links, failure of individual lines do not imply total loss of connectivity to the Internet, thus they increase WAN reliability. Traffic can be evenly spread across multiple WAN links for optimal use of the WAN bandwidth. WAN connectivity is vital to todays business activities. Having multiple WAN links for fault tolerance and load balancing has two advantages: The outbound traffic, i.e., traffic originating from LAN going outside, can be load-balanced across multiple WAN links. This is called Auto Routing. Traffic from the WAN side, e.g., outside customers or partners requesting services, can be load-balanced across multiple WAN links into various services provided by your company. This is called Multihoming. Chapter 6 Deployment Scenarios 6-18 6.2.1 Advantages of Auto Routing Auto Routing Mechanism Auto Routing is the mechanism of automatically load-balancing the outbound traffic across multiple WAN links according to a pre-defined set of routing policies. At the time of WAN link failure, auto routing will also adjust the routing mechanism to distribute the outbound traffic ONLY among the WAN links in good working conditions, bypassing the failed link(s). The traditional way of WAN link backup takes the approach of having a WAN link PURELY for backup purposes. That is, there is one main line and one backup line. With the help of routers backup policy, minimum fault tolerance can be achieved. With such an approach, however, one of the lines is idle most of the time and it is a waste of valuable resources. In addition, the router configuration steps are very tedious. Another traditional approach for business with multiple WAN links is essentially dividing the LAN into multiple segments, each going its own way outside through independent WAN link. Under normal situations, each segment has its own way using separate routers. When one of the WAN links fails, MIS has to change the router configuration to bypass the failed link. The obvious drawback to this approach is the MIS management overhead. Whenever there is a WAN link status change, the LAN environment settings (such as gateway, netmask, router policies, proxy settings, etc) need to be adjusted. AscenLink User Manual 6-19 ISP 1 ISP 2 Breaks HTTP : PORT 80 POP3 : PORT 110 Subnet 1 Subnet 2
Figure 6.5 By-pass a Broken Link Manually Chapter 6 Deployment Scenarios 6-20 6.2.2 AscenLink Fault Tolerance Mechanism As stated previously, without WAN load-balancer such as AscenLink , the traditional way of using multiple WAN links always involves human intervention should the WAN link status changes. AscenLink maintains an internal Virtual Trunk circuit, which is essentially a combination of the multiple physical WAN links. The AscenLink auto routing mechanism is the ability to adjust the Virtual Trunk to include only those normally functioning WAN links and to direct outbound traffic through the Virtual Trunk circuit without human intervention. Users therefore will not notice a change of status for the individual WAN links. ISP 1 ISP 2 Fail Breaks ISDN T1 AscenLink LAN WAN1 WAN2 LAN
Figure 6.6 By-pass a Broken Link Using Auto Routing AscenLink User Manual 6-21 Figure 6.6 illustrates such auto routing mechanism where the LAN users will view the WAN link as an interrupted connection to the Internet without even noticing the individual WAN link failures. More importantly, as compared with the traditional multiple WAN link usage, auto routing can effectively use all the available WAN links to balance the outbound traffic even when all the WAN links are in perfect working condition. Notice that auto routing cannot avoid an on-going session on a certain WAN link to fail when one of the physical line break. However, a new and working WAN link will be automatically selected for newly established sessions. With AscenLinks six different types of auto routing policies, MIS personnel can easily find the optimal auto routing policies to fit their environment. ISP 1 ISP 2 ISP 3 Destination WAN/IP Routing Policy Fixed Link-1 Fail-Over Policy Fixed Link-2 or Link-3 Breaks LAN AscenLink
Figure 6.7 Switch to Fail-over Policy on Fixed Routing Policy Chapter 6 Deployment Scenarios 6-22 Auto Routing Mechanism Field Explanation Fixed Direct the traffic to a specific WAN link Round-Robin Evenly distribute the traffic over all WORKING WAN links according to the specified weights By Connection Compares the number of connections on each WAN link and routes data based on the specified connection ratio in WAN. By Downstream Traffic Direct the new traffic to the WAN link with the lowest inbound (also called down stream) traffic By Upstream Traffic Direct the new traffic to the WAN link with the lowest outbound (also called up stream) traffic By Total Traffic Direct the new traffic to the WAN link with the lowest combined (up and down stream) traffic Note: All the routing policies (except the fixed one) will ONLY pick the properly working WAN links and by-pass the failed ones. In Round-Robin policy, for example, if the weights for WAN1:WAN2:WAN3 is 6:3:1, when WAN3 failed, the Round-Robin policy will be automatically adjusted to be among WAN1 and WAN2, at the ratio of 6:3. AscenLink User Manual 6-23 6.2.3 Persistent Routing and Auto Routing Persistent Routing and Auto Routing are related. If persistent routing and auto routing policies are set on the same server (or LAN IP), AscenLinks behavior will be as follows: The first outbound traffic from the said server/IP will be determined via the auto routing policy on this server/IP. Once the route is decided (e.g. through WAN link 3), subsequent traffic will follow the Persistent Routing rule. If there is a need to clear the existing persistent routing effects, go to [Statistics] [Persistent Routing] and click on [Clear All] to clear all persistent routing sessions. When AscenLink discovers WAN link failure(s), the proper actions with respect to persistent routing and auto routing will be: Auto Routing will automatically remove the failed link, even if there is a fixed routing policy on this link. In other words, regardless of the auto routing policy, backup procedure will always be invoked. Multihoming mechanism will also remove the failed link as a response to the DNS request so that no inbound traffic will use the failed link. Chapter 6 Deployment Scenarios 6-24 6.3 Various Auto Routing Mechanisms As discussed previously, AscenLink has five different mechanisms for deployment flexibility by using multiple WAN links to achieve high availability (HA) and faster response time for both inbound and outbound requests. AscenLink uses two key aspects in calculating the best auto routing decisions: The auto routing algorithm calculation The WAN link status checking and health detection The five different algorithms will be discussed in more details to solve this complex issue : Fixed Select a fixed WAN link. By Round Robin Distribute connections to several WAN links based on their weights. By Connection Compare the number of connections on each WAN link and routes data based on the specified connection ratio in WAN. By Downstream Traffic Dynamically select the WAN link with the least downstream traffic. AscenLink User Manual 6-25 By Upstream Traffic Dynamically select the WAN link with the least upstream traffic. By Total Traffic Dynamically select the WAN link with the least total traffic. In order to accomplish fault tolerance, AscenLink uses a special algorithm to detect the health of WAN links. This algorithm combines results from ICMP and TCP queries and actual traffic flow on a link to determine if the link is working properly. Chapter 6 Deployment Scenarios 6-26 6.4 Virtual Server Virtual Server is a mechanism for a single gateway machine to act as many separate servers. The real servers sit inside corporate network to process requests passed in from the gateway machine. Users do not have to know where the real servers are, or whether there is just one server or many servers. This mechanism prevents direct access by users and hence increases security and flexibility. AscenLink provides virtual server capability by supporting various virtual server mapping methods. For example, you can map different public IP addresses to different real servers in LAN or DMZ. Or you can map different ports of one public IP address to different servers. The way to configure virtual server on AscenLink is to provide virtual server rules. Each rule specifies a mapping condition. It maps WAN IP address and a service (port or ports) to an internal server IP address. The order of virtual server rules on AscenLink is important. It employs a first match scheme. The rule that first matches a request is to take effect. For example, you have a public IP address 211.21.48.196 and you want a web server on 192.168.123.16 to handle all the web page requests coming to this public IP address. To do this you should create a virtual server rule with 211.21.48.196 to be its WAN IP, 192.168.123.16 to be its Server IP, and HTTP(80) to be its Service. AscenLink User Manual 6-27 6.5 Multihoming Most of the previous discussions concentrate on how AscenLink helps fault tolerance and load balancing on the outbound traffic, i.e., traffic going from inside the LAN to the WAN. For enterprises, however, Internet connectivity means both ways. In other words, providing services to the Internet users (customers or partners alike) is as important and providing connectivity to facilitate employee to perform their daily work. Enterprises with web services to Internet users can equally benefit from using multiple WAN links for inbound traffic fault tolerance and load balancing, via the technology called Multihoming, as illustrated in the Figure below with ISP1 and ISP2.
Figure 6.8 Typical Connections in a Multihoming Environment Chapter 6 Deployment Scenarios 6-28 The topic discussed in this chapter is how to simultaneously use multiple IP address provided by the ISP connections. Usually, such connections can cause problems with inbound traffic. For example, if the network is currently using an IP address provided by ISP1, and a problem occurs with this ISP, then the inbound query will not be received properly because the external traffic only knows the IP address provided by ISP1. Also, by using the IP address provided ISP1, ISP2 cannot manage the inbound traffic of ISP1. So, the main concern with multiple ISP connections is how to effectively display IP address to the external environment. AscenLinks Multihoming uses DNS fault-tolerance technique to resolve the problems with simultaneous use of multiple ISP connections. For example, if the web server used for external traffic uses only one ISP connection, then any problems with that connection will affect the network. However, if DNS periodically assigns different IP addresses provided by different ISP connections, then the external traffic will always have a valid IP address to connect to. The actual implementation is assigned to a name of different IP addresses, and any query to this name will receive an IP address. As a result, different users can access the web server through different IP addresses, which is the purpose of Multihoming. Assuming, for example, there are three WAN links (therefore three different IP addresses) for the web site of www.example.com, the DNS record has three entries as: www IN A 211.21.10.3 www IN A 63.98.110.123 www IN A 192.136.1.243 AscenLink User Manual 6-29 All DNS requests to www.example.com will be sent to AscenLink . The AscenLink Multihoming mechanism will constantly measure the health conditions as well as the state of each WAN links and compute the optimal return answer to the DNS queries, defined as the SwiftDNS technology. The SwiftDNS technology will not only ensure fault tolerance for inbound traffic, it also supports powerful and flexible load balancing algorithms as in the Auto Routing mechanism to enable users with heavy web presence to maximize the reliability and efficiency of their web services. The SwiftDNS Multihoming mechanism requires MIS personnel to understand the details of the system behaviors. The fundamental concept of the DNS mechanism is shown in the next section.A step by step deployment tutorial is also provided. Chapter 6 Deployment Scenarios 6-30 6.6 Introduction to DNS DNS server is different from host file based on name resolution. Host file contains information of IP address mapping information. It is only useful for an intranet where the information of host machines is relatively static. Name resolution by DNS server is more dynamic becauset it can adapt to changes easily. The way it works is based on DNS server hierarchy on the Internet. If a DNS server cannot resolve a name (the information is not in its cache), it will ask other DNS servers. There is a protocol on how and where to ask other DNS servers. Basically it follows the DNS hierarchy to be covered below. A name resolution request may go through a number of DNS servers. When an answer is found, it will be saved in their cache so that the same request can be answered immediately without asking other DNS servers again. Each name resolution result saved in cache has a TTL (Time To Live). After the period of TTL, it will be discarded in order to avoid stale information. The whole internet has a large DNS hierarchy. The top of the hierarchy is called Root. It consists of a set of Root DNS servers coordinated by ICANN. The next level below Root is Top Level Domain (TLD). TLD registration database contains information about top level domains such as CA, COM, EDU, GOV, NET, etc. The next level below TLD is Second Level Domain (such as whitehouse.gov, Microsoft.com, inforamp.net, etc.) followed by Third Level Domain, and so on. You can apply for domains for your organization. First, go to Internets Network Information Center (InterNIC) to find out if the domain you have in mind has been registered already. You can also look up their ICANN-accredited registrar database for a registrar. Second, you need to register your domain with a AscenLink User Manual 6-31 registrar. You have to provide at least two DNS servers to serve DNS requests. If your registration has been approved, then any DNS request to your domain will be forwarded to the DNS servers you are registered with. For example, we have registered xtera-ip.com. InterNIC has put the name xtera into the COM DNS servers and pointed it to the two DNS servers we specified. Once you have your domain, you can have any number of sub-domains. For instance, you can name one of your computers sales.xtera-ip.com. You dont need InterNICs approval for creating sub-domains. However, it is important to put DNS information about sales.xtera-ip.com into the DNS servers of xtera-ip.com. Here is an example of how DNS hierarchy works. A user at a university sees a link to sales.xtera-ip.com on a web page and clicks it. Her browser will ask the local DNS server dns.utexas.edu about sales.xtera-ip.com. Suppose it is not in the cache of dns.utexas.edu. The DNS server goes to a Root DNS server and finds out the DNS server for COM TLD. The DNS server for COM TLD tells dns.utexas.edu to go to dns1.xtera-ip.com. Finally dns.utexas.edu is given the IP address of sales.xtera-ip.com by dns1.xtera-ip.com. The most famous DNS server software is BIND (Berkeley Internet Name Domain). BIND provides name resolution service as well as auxiliary services such as primary/secondary backup and caching. SwiftDNS One of the problems with traditional DNS servers is TTL. A long TTL means a long update time when IP addresses have been changed. Before the update time is up (i.e. TTL is expired), DNS requests may be answered with incorrect information. Chapter 6 Deployment Scenarios 6-32 AscenLink employs a technology called SwiftDNS for multihoming based on link health state and a traffic re-direct algorithm. SwiftDNS dynamically answers DNS requests to prevent broken or congested links. In order to solve the TTL issue stated above, SwiftDNS maintains a very short TTL and actively sends out updates to internal DNS in case of link status changes. How does SwiftDNS work? Figure 6.9 is an example to illustrate how SwiftDNS works. When you turn on Multihoming, SwiftDNS will become effective automatically. In this case, the upper level DNS server for xtera-ip.com has two NS records. They are for Primary DNS server at 210.58.100.1 and Secondary DNS server at 215.59.100.1. Both of them are pointing to AscenLink. Two additional public IP addresses 210.58.100.2 and 215.59.100.2 are designated for Multihoming. In this case, a web site at 192.168.100.1 in LAN is exposed to these two IP addresses. When both ISP links are working properly, AscenLink replies to DNS requests for www.xtera-ip.com with 210.58.100.2 and 215.59.100.2 at ratio of 1:2 (weight ratio). AscenLink User Manual 6-33
Figure 6.9 A Multihoming Example Assuming ISP1 is down and a DNS request for www.xtera-ip.com comes in, it would not be able to go through 210.58.100.1. But it will be able to reach 215.59.100.1. Multihoming mechanism in AscenLink detects the link status of WAN1 and answer the request with 215.59.100.2. Chapter 6 Deployment Scenarios 6-34 6.7 High Availability (HA) Scenarios 6.7.1 Firmware Update Procedure in HA Deployment The firmware update procedure in HA deployment is different from the non-HA (single unit) procedure, as follows: Log onto the Master AscenLink as Administrator, go to [System][Summary] and double check the peer device is under normal condition. Select [Synchronize Configuration] to ensure the configuration file on the Slave device is the same as that on the Master. Execute the firmware update. Please wait as this may take a while. When the update is done successfully, the web UI will show end of update message. If there are other problems while updating, PLEASE DO NOT TURN OFF the AscenLink . Repeat this until the firmware is updated to the latest version. Make sure when the Master device firmware update is done, turn off the Master power line, and wait for Slave to replace the Master device. Note: The slave will beep 3 times Log on to AscenLink Web UI. Make sure Peer Info data is none. Then duplicate the firmware update action again. Make sure the firmware update steps are done. Switch off the system. Switch on the Master system, wait for five (5) seconds, and then power on the Slave system. Get on the Masters Web UI, go to [System] [Summary], and make sure the system firmware is the latest version. Also make sure the peer machine AscenLink User Manual 6-35 firmware is up to date. If there are abnormal behaviors in the DMZ or public IP servers, go to [System] [Diagnostic Tools] [ARP Enforcement] and do the [Enforce] action. Note: In all the steps above, the HA serial cable between the Master and Slave CANNOT be removed. Any abnormal behaviors implies firmware update issues. The action then is to power off any one of the dual systems. Remove the network and HA serial cables, and perform the firmware update procedure in a stand-alone scenario for both systems. Then reconnect the network as well as HA serial cables. If repetitive errors occur during the firmware update process, DO NOT power off the system and contact your dealer for technical support. Chapter 6 Deployment Scenarios 6-36 6.7.2 HA Fallback to Single Unit Deployment The steps to change from HA to single machine deployment are: Get on Web UI using Administrator account. Go to [System] [Summary], select [Synchronize Configuration] to ensure the configuration for Master and Slave are in Sync. Power off the system not in use. I.e., if the Master machine is to be removed, power the Master system off and the network will be in normal function when the Slave system takes over. If the Slave is to be removed, then simply power the Slave system off. Once the machine is powered off, remove the HA serial cable. Remove the powered-off system and the associated cables. If there are abnormal behaviors in the DMZ or public IP servers, go to [System] [Diagnostic Tools] [ARP Enforcement] and do the [Enforce] action. Steps of the Slave Take Over are: When Master is in trouble for whatever reason (Hardware failure, Power failure, HA cable failure, etc), Slave will detect the failure and perform the take-over actions. The Slave machine will beep three times when its ready. The take-over action is a permanent one, i.e., if the Master failed and the Slave takes over. Then the Slave becomes the Master. The previous Master, after repair and put back on line, will be the Slave in the HA deployment. If it is desired to make the Slave become the Master then simply power cycle the Master system. AscenLink
User Manual A-1 Table of Content Appendix A.1 Default Values ........................................................................................ A-2 Appendix A.2 Console Mode Commands..................................................................... A-5 Appendix A.3 Firmware Update.................................................................................. A-10 Appendix A.4 Configuration File ................................................................................. A-12 Appendix A-2 Appendix A.1 Default Values In the console model, enter command resetconfig, or on the WebUI select Factory Default will force AscenLink to do a hard reset and restore all settings to system default. Users cannot change the Consoles account and password. The default username and password are Administrator and ascenlink. They are case sensitive. The hard reset will restore the WebUI account and password to factory default: Administrator/1234, and Monitor/5678. AscenLink also supports SSH logins. The interface for SSH login is the same as that of the console; the username and password are also the same. WAN Link Health Detection Default Values: System default values contain the fixed 13 server IPs for health detection. Reset the system with default values for all PortSpeed, Duplix Settings. All ports are restored back to the AUTO state. Network Setting Default Values: port 1 : WAN1 IP : 192.168.1.1 netmask : 255.255.255.0 IP in DMZ 192.168.1.2~192.168.1.253 Default Gateway 192.168.1.254 DMZ at port 5 port 2 : WAN2 IP : 192.168.2.1 netmask : 255.255.255.0 AscenLink
User Manual A-3 IP in DMZ 192.168.2.2~192.168.2.253 Default Gateway 192.168.2.254 DMZ at port 5 port 3 : WAN3 IP : 192.168.3.1 netmask : 255.255.255.0 IP in DMZ 192.168.3.2~192.168.3.253 Default Gateway 192.168.3.254 DMZ at port 5 port 4 : LAN IP : 192.168.0.1 netmask : 255.255.255.0 DHCP Server is off port 5 : DMZ Fields such as Domain Name Server, VLAN and Port Mapping, WAN/DMZ Subnet Setting are all cleared. Appendix A-4 Service Category Default Values: Firewall : default security rules apply Persistent Routing : no Persistent Routing Rule Auto Routing : By Downstream Traffic as default Virtual Server : no Virtual Server Inbound BM : no BM rule Outbound BM : no BM rule Cache : No redirection Multihome : Disabled All fields in the Log/Control Category are cleared AscenLink
User Manual A-5 Appendix A.2 Console mode commands This section gives further details on the Console mode commands. Before users log into serial console via HyperTerminal, please complete following setting: Bits per second: 9600, Data bits: 8, Parity: None, Stop bits: 1, Flow control: None. The default username and password is Administrator and ascenlink. help: show the help message Type help [COMMAND] will show a detailed message on the usage of a command. eg: help logout [Enter] will show the usage of the logout command. arping: Find the corresponding MAC address of an IP address Type arping [HOST] [LINK] [INDEX] [Enter] will show the MAC address of an IP address. Host is the IP of the machine or domain name whose MAC address is of interest. Link is the type of interface used, i.e. WAN, LAN and DMZ. If WAN is selected, please indicate the WAN port number. eg: arping 192.168.2.100 lan [enter] will send out an ARP packet from LAN port to query the MAC address of the machine whose IP address is 192.168.2.100. Note: If domain name is to be used in the HOST parameter, the DNS Server must be set in the Web UI function [System]->[Network Setting]->[DNS Server]. For ARP related error messages, please refer to the corresponding ARP reference materials. enforcearp: Force AscenLinks surrounding machines to update their ARP tables Type enforcearp [Enter] and the sytem will send ARP packets to machines which are connected to AscenLink in order to update their ARP tables. This is Appendix A-6 particularly useful for cases where after the initial installation of AscenLink, machines or servers sitting in the DMZ segment cease to be able to connect to the Internet. eg: enforcearp [Enter] logout: exit Console mode Type logout [Enter] will exit users out of the Console mode. The system will ask users to re-confirm, enter [y] to proceed or [n] to cancel the logout action. eg: logout[Enter] y [Enter] to exit out of the Console mode. ping : test network connectivity Type ping [HOST] [LINK] [IDX] [Enter] to ping a [HOST] machine for the purpose of detecting the current WAN link health status. HOST is the machine/device users are trying to ping to. The LINK parameter can be wan/lan/dmz. If the LINK parameter is wan then users also need to specify the wan port number. eg: ping www.hinet.net wan 1 [Enter] forces the system to issue the ping command to www.hinet.net via WAN #1. Note: If domain name is to be used in the HOST parameter, the DNS Server must be set in the Web UI function [System]->[Network Setting]->[DNS Server]. For ICMP related error messages, please refer to the corresponding ICMP/PING reference materials. reboot : restart AscenLink AscenLink
User Manual A-7 Type reboot [Enter] to restart AscenLink. Type reboot -t TIME [Enter] to restart the AscenLink in TIME seconds. eg: reboot -t 5[Enter] to restart the system in 5 seconds. resetconfig : restore to factory defaults Type resetconfig [Enter] then the system will ask users to re-confirm. Enter y/n to confirm or cancel the command. eg: resetconfig [Enter] y [Enter] will reset the system to factory default and reboot. resetpasswd : reset AscenLinks Administrator and Monitor passwords to factory default Type resetpasswd [Enter] and the system will ask users to re-confirm. Enter y/n to confirm or cancel the command. eg: resetpasswd [Enter] y [Enter] to reset the passwords to factory default. disablefw : disable firewall Type disablefw [Enter] and the system will re-confirm the command. Then type y [Enter] to disable firewall or n [Enter] to return to the Console. eg : disablefw[Enter] y [Enter] to disable firewall setupport : configure the transmission mode for all the AscenLink network port(s) Type setupport show [Enter] will show the current transmission modes for all the network ports. Appendix A-8 Type setupport change [INDEX] auto [Enter] will change the (INDEX) network port into AUTO mode. Type port-config change [INDEX] [SPEED] [MODE] [Enter] will set the (INDEX) network port into a specific transmission mode. INDEX: 1, 2, 3... SPEED: 10, 100, 1000 MODE: half, full eg: setupport show [Enter] setupport change 1 auto [Enter] setupport change 2 100 full [Enter] Note: 1. Not all network devices support full 100M speed. 2. This command has no effect on Fiber interface. 3. The INDEX is the port number of the AscenLink port interface; exact number varies according to various models. shownetwork : show the current status of all the WAN links available Type shownetwork [Enter] to display WAN Type, Bandwidth, IP(s) On Local/WAN/DMZ, Netmask, Gateway, and WAN/DMZ Port. eg: shownetwork [Enter] Note: This Console mode command can only show the current network status. Use Web UI to change the network settings should users so desire. AscenLink
User Manual A-9 sysinfo: display information regarding AscenLinks CPU and memory Type sysinfo [Enter] to display AscenLinks CPU, memory and disk space status. eg: sysinfo [Enter] traceroute : show the packet routes between AscenLinks specific port to the destination Type traceroute [HOST] [TYPE] [INDEX] [Enter] will show the packet routes between the [INDEX] WAN ports to the [HOST] destination. [HOST] can be based on IP or domain name. The LINK parameter can be WAN/LAN/DMZ. If the TYPE parameter is WAN then users also need to specify the WAN port number. eg: traceroute www.hinet.net wan 1 [Enter] will show the trace routes from WAN link1 to www.hinet.net. NOTE: If the domain name is to be used in the HOST parameter, then the DNS Server must be set in the Web UI function [System]->[Network Setting]->[DNS Server]. Appendix A-10 Appendix A.3 Firmware Update Steps to Update the AscenLink Firmware: Before proceeding with the firmware update, ALWAYS back up user system configurations. Obtain the latest firmware pack from user SI or VAR. Log on to Web UI as the Administrator and go to function [System] [Administration]. Click on Update to get into the UI page of firmware update. Use [Browse...] to select the path to the new firmware image, then select [Upload]. The firmware update will take a while so be patient. During the update process BE SURE not to turn off the system or pull the power plug. DO NOT click on the [Upload] button. Update is completed when the Update succeeded message appears. At this time please power off and then on again the system to restart AscenLink with the new firmware. If errors occur during the update process, it could be due to one (or more) of the following: General error Please contact your dealer if this happens more than once. Invalid update file Please make sure the new image was updated correctly. MD5 checksum error Image file is corrupted. Please reload and retry. Incompatible version/build Firmware version in-compatible. Check with usersr reseller for the correct version. Incompatible model/feature Firmware image does not match the AscenLink system. Check with your dealer for the correct model and version. Incompatible platform Firmware image does not match the current AscenLink platform. Check with your dealer for the correct model and version. AscenLink
User Manual A-11 Incompatible region - Firmware image does not match the current AscenLink product for the specific geographic region. Check with your dealer for the correct model and version. Update error Please NOTE: if this error message recurrs during firmware update, please do not turn off the machine and contact your dealer immediately. Unknown error Contact your dealer. Appendix A-12 Appendix A.4 Configuration File Configuration File Backup and Restore: Log into AscenLink as Administrator. In the Web UI, go to [System] [Administration] and select [Configuration File] [Save] to backup the Config File to local machine/notebook. To restore to the previously saved config file, go to [Configuration File] [Restore], select [Browse...] to pick the saved config file and select [Upload]. Notice NOT to turn off the power during the config file upload process, or repetitively select the [Upload] button. Restart AscenLink to effect the restored configuration. During the config file restored process, if error occurs, most likely it is because of the following conditions: The total WAN bandwidth setting in the restored config file exceeds the max bandwidth defined for the current system. The bandwidth can be either upload stream and download stream. The restored config file contains port # exceeding the current port # defined by the system. The restored config file contains VLAN parameters not supported by the machine. The total # of WAN links in the restored config file exceeds the current system definition. Incompatible versions and systems. Note: 1. The Configuration File is in binary format and should NOT be editted outside of AscenLink tools and systems. 2. AscenLink Configuration File is backward compatible for the compatible model lines. However for different models (for example model 1200 and 3000) full compatibility among config files for different models is NOT guranteed. 3. After the firmware upgrade, users are encouraged to backup the config file AC-MENU-AL-E5.3