6. APPENDIXES
6.1. Appendix A: Information Sheets for Configuration
Installation Mode
Elfiq Link Balancer units can be installed in a standalone (single) or failover mode for physical redundancy. The installation mode should be decided first because it can affect the available operation modes or require additional pre-configuration information. In a physical redundancy setup you should also plan for a pair of network switches that can support VLANs.
____ Single unit
____ Physical Redundancy (Two units in high availability mode with switches)
NOTE: The physical redundancy installation requires an EOS version type with failover (FO) support.
At this stage, it is also recommended to check the Configuration Guide and/or the Quick Configuration Guide in order to determine which scenario matches the most to your desired network infrastructure. This will also help you evaluate the number of physical Ethernet ports needed for your Link LB and the number of switches that might be required.
Once you have completed this evaluation, you will be able to identify the primary link devices, the operating mode of your Link LB for the outside interfaces and the required configuration information
Primary Link Devices
The primary link is usually the link in operation before installing the Elfiq Link Balancer. The primary link devices are the firewall(s) and other devices having IP addresses in the primary link IP range(s). The Link LB can support multiples devices on the primary link. Devices in high availability (for example two firewalls in failover) are also supported.
The primary link device(s) traffic must pass through the Link LB via the Elfiq inside interface in order to be balanced on different links. The inside interface can be any Link LB port (except the management interface port) and is defined in the configuration.
NOTE: Some advanced configuration could use multiple primary links. Typically this is done to install a Link LB to support two existing firewalls without any configuration change to the firewalls, each one operating with its original link IP addresses and default gateway.
Operating Mode for the Outside Interfaces
The Link LB outside interfaces is connected to the link routers. Typically any Ethernet port besides the selected ports for the inside and management interfaces is available to be configured as an outside interface. Depending of your model, you have two or more available ports for the outside interfaces.
Different operating modes are possible:
____ Monomode ____ Multimode
____ Monomode with VLANs ____ Mixed mode
Monomode
One physical port per outside interface/link, no switch is required;
crossover cables are used to connect the link routers to Link LB.
Multimode
One physical port is the outside interface and is connected to an unmanaged switch or the untagged VLAN of a switch. All links are connected to the switch. This mode supports installations in physical redundancy. This mode also supports more links than the available number of physical Ethernet ports.switch. All links are connected to the switch. This mode also supports more links than the available number of physical Ethernet ports.
Monomode with VLANs
One physical port is an 802.1q trunk with multiple outside interfaces. A switch supporting VLAN trunking is required. Each outside interface operates in its own VLAN and is connected to a link. This mode supports installations in physical redundancy. VLANs are also required when monomode cannot be used (more links than the number of available physical Ethernet ports) or when links are not compatible with multimode (multiple DHCP or PPPoE links cannot share the same layer 2 network).
Mixed Mode
Both monomode and multimode or monomode with VLANs are used.
This configuration is typically used and recommended for single unit installations with more than three links and where the LAN Failsafe feature is used. The inside and primary link outside interfaces are configured with the LAN Failsafe ports. Alternates links are configured on different outside interface(s) with an alternate physical port and a switch. This mode isolates at layer 2 the primary link devices and router from the alternate links and allows supporting more links than the number of available physical Ethernet ports for outside interfaces.
NOTE: It is important to carefully plan the required amount of physical Ethernet ports to be sure that your link balancer has enough to suit your needs. For example, the four Ethernet port units must be configured in multimode, monomode with VLANs or Mixed mode to support more than two links. If your model can support multiple link balancer instances (also called Virtual Forwarder Interface or VFI), planning the Ethernet ports for both VFIs is required.
NOTE: The dedicated management interface can be converted to an "outside interface" for the purpose of connecting additional alternate links. When the management interface is converted, you can still manage the unit through its console port or with a direct outside access to a virtual management IP. There are some restrictions involved in the ways to access or configure the unit once the management interface is converted.
Management Interface
In order to manage your Elfiq Link Balancer, the first step that needs to be done is to decide and/or create a management LAN. Since the Link LB operates at the data link layer of the OSI model, and therefore does not have an IP address, it is impossible to manage the device through its operating interfaces. This design is also to meet the highest security standards by preventing access to the management from unsecured networks.
One of the networks Ethernet port on the unit, referred to as the management interface (MGMT), is dedicated to the management of the device. It is through this interface that you will be able to connect either with an SSH connection, or with the graphical user interface in order to configure, manage and update the Elfiq Link Balancer.
IMPORTANT: The management LAN is logically referred to as eth0 for all available models.
For small networks, the management LAN may be connected to your internal network, as you may not have the infrastructure or the desire to dedicate an isolated network to this task.
For larger networks, it is recommended that the management LAN resides on a separate network where access would be limited and filtered behind a firewall. This reduces the risk of possible intruders trying to log in and possibly modify your configuration.
Once you have decided which network will be used as your management LAN, you can then determine the IP address that will be used for the management interface of your Link LB and required system information.
Hostname for the unit (i.e.: LinkLB): __________________
Configuration of the management interface (to be connected to a management network or your internal LAN):
IP Address: _____._____._____._____
Subnet Mask: _____._____._____._____
Gateway IP Address: _____._____._____._____
Configuration of the Link LB in physical redundancy (Yes/No): _____ if yes:
Second unit management IP address: _____._____._____._____
Virtual IP address (This IP is shared by both units and used to access the master):
_____._____._____._____
Usage of SNMP service (Yes/No): _____ if yes:
IP address of SNMP server: _____._____._____._____
SNMP community string: ___________________
Usage of NTP service (Yes/No): _____ if yes:
IP address of NTP server: _____._____._____._____
Frequency of refresh (in hours): ___________________
Usage of SMTP e-mail alert service (Yes/No): _____ if yes:
IP address of SMTP server: _____._____._____._____
E-mail addresses to receive alerts: ____________________
____________________
____________________
____________________
Syslog server IP address: _____._____._____._____
NOTE: Any system respecting RFC3164 syslog standards can be used.
Password for mgmt user: __________________
Password for enable user: __________________
NOTE: The management (mgmt) user password has read-only privileges to access the unit status and statistics. The enable user has full privileges to modify the unit configuration.
NOTE: For remote management, you will need an SSH client that supports SSH version 2; such as OpenSSH for all UNIX/Linux platforms or PuTTY, for Microsoft Windows.
External Links for the Outside Interfaces Number of links to balance: ____
For each of those links, fill in the following form:
Example Primary Link Link 2 Link 3
Provider (ISP) name and link type
MY_ISP_NAME, T1 Link IP address of ISP router 194.204.1.1
Primary subnet mask 255.255.255.128 or /25
Other subnets routed through this link
212.217.1.0/29 Upload and download
speed in kbps
1544 / 1544 MTU Size (if known) 1492
Primary Link Devices and Outgoing Services
IP address of firewall or router: _____._____._____._____
IP address of second firewall or router (optional): _____._____._____._____
List all other devices installed on the primary link (in parallel of the firewall):
Device IP Address on the Primary Link Note
VPN concentrator 194.204.1.22 Example
Default source IP address for outgoing traffic (like web browsing): _____._____._____._____
_____._____._____._____
_____._____._____._____
_____._____._____._____
List business critical outgoing services:
Service Source IP Address on the
Primary Link
Protocol Port Note
Outgoing FTP access 194.204.1.115 tcp 21 Example
Outgoing DNS requests 194.204.1.127 udp 53 Example
Site to site VPN 194.204.1.22 udp
ipsec-esp
500 n/a
Example
IMPORTANT: Some protocols are more complex to balance, especially encrypted protocols such as HA. Also, services such as SMTP can be sensitive to using multiple source IP addresses and may need special DNS PTR records. You will need to advise the proper service providers that from now on, this service might present itself from various source IP addresses and have the new ISPs create DNS PTR records.
Incoming Services
List incoming protocols that will need to be balanced associated with their respective IP address on the primary link.
Service and/or URL IP Address on the Primary Link
Protocol Port Note
www.example.com 194.204.1.115 TCP 80 Example, website server
vpn.example.com 194.204.1.22 TCP 443 Example, SSL VPN
access
mail.example.com 194.204.1.3 TCP 25 SMTP server
DNS Services Management
Are the DNS servers inside the local DMZ or network (DNS requests will pass through the Link LB) or externally hosted (remote location or via ISP)? _____
If the DNS servers are within my network:
DNS IP addresses: _____._____._____._____
_____._____._____._____
IMPORTANT:
If the DNS servers are hosted internally, once the Link Balancer has been installed, it is strongly recommended that you increase the redundancy of the DNS services by balancing the DNS requests between each external link (primary and alternate links). You will then be able to configure the Link LB for each of those DNS server addresses.
If the DNS servers are hosted externally, you will need to plan the redirection of some DNS queries to the Link LB via each external link (primary and alternate links) in order to properly manage incoming traffic. You will need to verify this procedure with your service provider.
Balancing Notes for Various Protocols and Services
There are a few key points to keep in mind when balancing protocols over different links. Most protocols will balance on multiple links without the need for any special configuration, but some protocols, especially the ones that verify source and destination, or the ones that establish multiple connections on various TCP/UDP ports, may need special configuration or changes in order to be balanced properly.
In most of those cases, using persistent access-lists or persist triggers will be enough, since all connections to a given host will be carried over the same link, for the duration of the session.
Other protocols or types of applications, however, will need to follow strict guidelines in order to be balanced properly.
Below are some examples of the most used protocols and the verifications or changes that need to be performed before they can operate properly.
FTP
:
Since FTP establishes a communication on various ports and exchange port numbers at layer 7, it needs to be handled in its own specific way. In order to balance FTP traffic, you need to use the protofix ftp statement.HTTP/HTTPS: HTTP and HTTPS traffic can be balanced without any issues. However, if you host or need to access web applications that require host based sessions, such as access to banking sites, you will need to enable persistent access-lists to or from these hosts. It is recommended by default in all Elfiq configuration examples and wizards.
SIP: Since SIP establishes a communication on various ports and exchange port numbers and IP addresses at layer 7, it needs to be handled in its own specific way. In order to balance SIP traffic, you need to use the protofix sip statement.
SMTP: For SMTP servers, source IP verification is often performed to prevent servers from being open mail relays.
Therefore, if your SMTP server is hosted externally, you need to make sure that connections are accepted from the determined IP addresses of each of the links. If your SMTP server is hosted internally, to comply with SMTP standards, you should make sure that all IP addresses for which your SMTP servers can accept connections are listed as valid A and MX records in the DNS zone file of each hosted domain. Also, to ensure outgoing mail from the determined IP addresses of each of the links is RFC compliant, each determined IP address for outgoing SMTP must be registered with a PTR record in your ISP DNS servers. It is the system administrator responsibility to ensure the PTR record for each SMTP gateway address is registered with the SMTP gateway name. If you are not sure this PTR record is registered properly for your mail server on all your links, you should use the primary link for all outgoing SMTP mail (for example OPFA algorithm).
VPN: Since source IP verification is often performed when establishing VPN tunnels, it’s important to make sure that the remote VPN system accepts connections from the determined IP addresses for each of the links or support NAT traversal.
If not, the VPN tunnel will not be established through the alternate links.
The following list of protocols are the most commonly used protocols for which you should use special care when including them in the list of protocols/applications that must be balanced: ESP, H.323, HA, IRC, Kerberos, NFS, Portmapper, RADIUS, RTCP, RTP, VOIP.