A customer just bought a LinkProof and has two ISP ISP 1 = 3.3.3.50 /24
ISP 2 = 4.4.4.150 /24
He wants to just load balance outbound traffic through each one for Dynamic NAT use 3.10#
and 4.10#
He has a Guest Network inside that for all HTTP traffic he wants it to go to ISP1 The network is 10.200.200.0/24
He also has a partner on the outside 128.177.28.44 that must go through ISP 2, even the Guest network must go to ISP 2 to reach this partner.
He wants the default aging time to be 300 seconds and application specific aging times to be HTTP 60
DNS 15 HTTPS 600
He also wants to check DNS through each ISP create health monitoring checks to check www.cnn.com and www.radware.com to 4.2.2.2 and 4.2.2.3
Chapter 5 – LinkProof Inbound Load-Balancing
• LinkProof Lab 5 – Inbound Load Balancing and Proximity (using WBM)
Lab Goals:
• Configure the LinkProof to perform inbound load balancing
• Test using a DNS lookup utility
• Configure the LinkProof to perform Proximity calculations Use the configuration from the previous labs.
Step by Step:
Static NAT
1. The first step for inbound is to create static Smart NAT addresses to represent an internal server behind your LinkProofs. You will create two external addresses for this server, one from each Router network space.
LinkProof Smart NAT Static NAT Table, click Create: (# Is your team number)
From Local Server IP = 192.168.200.10#
To Local Server IP = 192.168.200.10#
Server IP = 1.1.1.100
From Static NAT IP = 1.1.1.20#
To Static NAT IP
Click Set to save and Create to add the second entry.
= 1.1.1.20#
From Local Server IP = 192.168.200.10#
To Local Server IP = 192.168.200.10#
Server IP = 2.2.2.200
From Static NAT IP = 2.2.2.20#
To Static NAT IP Click Set to save.
= 2.2.2.20#
Notes:
Internal Range = Range of internal server IPs that you want to define a public IP for, if you have only one server the Start and End have to be the same IP.
Eternal Range = Range of Public IPs for the Internal Range, the external range maps one to one in sequence for example:
192.168.200.101 192.168.200.105 1.1.1.100(NHR) 1.1.1.31 1.1.1.35 This means 101 = 31, 102 = 32 and so on.
2. When complete, you can check your NAT table: (It should have 4 entries-- the 2 Dynamic NAT and the two new Static NAT entries)
LinkProof Smart NAT NAT Parameter Summary:
3. Once done, browse out from your VNC remote desktop and notice in the client table you are going out with the Static NAT.
DNS Configuration
4. The next step in inbound configuration is the DNS configuration. There are two main parts of this configuration. The first part is th Name To Local IP table -- this table contains all the host names that the LinkProof will resolve and their Local IP address. The Local IP address needs to be the same as the Local Address in the Static NAT configuration.
LinkProof DNS Configuration Name to Local IP, click Create
Host Name = www.team#.com Local IP
Click Set to save
= 192.168.200.10#
5. The next part is the DNS Virtual IP, this IP address is used as the NS record on the SOA DNS server, the best practice is to configure one DNS VIP per ISP, and to also have one on the internal interface (We will explain that one with
redundancy).
In Our Lab we will use the do the following (50+# means add your team number to 50):
LinkProof DNS Configuration DNS Virtual IP, click Create.
DNS IP Address
Click Set to save and Create to add another = 1.1.1.50+#
DNS IP Address Click Set to save
= 2.2.2.50+#
6. The last step is to enable the two records in reply feature, this can be used to avoid DNS caching issues and to give clients an alternate address. This feature is also useful in the lab to demonstrate failover. In addition it is recommended to change the TTL from default of zero to at least 5 seconds up to 30 seconds.
LinkProof DNS Configuration Response:
DNS Response TTL = 5 Two Records in DNS Reply Click Set to save changes.
= enable
7. To test the response, from the Virtual Client use a terminal and the host command type in
nslookup www.team#.com 192.168.200.#
8. At this point you can now fail one of the two ISPs (Disable it) and run the lookup again you should now only get one A record back.
Optional Components Proximity:
Note: Proximity is difficult to simulate in the lab since the difference in hops and latency is minimal. This lab is designed to illustrate the principals behind proximity.
9. The first step is to enable proximity on the LinkProof, there are a few options you can enable it only for Inbound or Outbound traffic, or enable it both ways, in our lab we will enable both ways.
LinkProof Proximity Proximity Parameters General
Change
Proximity Mode Click Set to save
= Full Proximity Both
10. The next step is to choose the importance of three variables Hops, Latency, and Load. Depending on the desired result or the network you can modify what is more important then the other on a scale of 1 100 with 100 being highest.
LinkProof Load Balancing Weights Hops Weight = 60
Latency Weight = 20 Load Weight
Click Set to save.
= 80
11. Open browser connections to various sites from your Virtual Machine (If you changed the IP before change it back to 192.168.200.10#).
Connect to the LinkProof through the CLI and type in the following command:
lp proximity dynamic-table
This will display the LinkProof’s dynamic proximity table:
Subnet Farm name
• Chapter 5 Review:
What system does the LinkProof rely on for redirecting external clients to internal hosts through various next hop routers?
What kind of records should be placed in a customer’s DNS server to redirect DNS queries to the LinkProof?
What are Virtual DNS Addresses used for?
What actual addresses should be placed in a customer’s DNS server to redirect DNS queries to the LinkProof?
What features can the LinkProof use to help overcome DNS lookup caching?
True or False: If a Next Hop Router is down, the LinkProof will not respond to incoming DNS queries by giving out an address that belongs to the failed router?
In general terms, what is Proximity on the LinkProof?
The LinkProof calculates outbound proximity to what devices?
The LinkProof calculates inbound proximity to what devices?
How does the LinkProof store entries in the Proximity Table?
When configuring proximity, what three factors can be tuned to determine the “best”
NHR to use?
Why would load be an important factor to consider?
By default, how long are entries stored in the proximity table on the LP?
Chapter 6 LinkProof Redundancy
Radware recommends that its LinkProof units be installed in pairs to provide fault tolerance in the case of a single unit's failure. Each pair of devices functions in an Active / Backup configuration; the backup unit will come online should the primary unit fail.