DPtech ADX3000 Series Application Delivery Gateway User Configuration Guide

Transcription

1 DPtech ADX3000 Series Application Delivery Gateway User Configuration Guide i

2 Hangzhou DPtech Technologies Co., Ltd. provides full-range technical support. If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent, according to where you purchase their products. Hangzhou DPtech Technologies Co., Ltd. Contact Address: 6 th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhou Address code: Declaration ii

3 Copyright 2011 Hangzhou DPtech Technologies Co., Ltd All rights reserved. No Part of the manual can be extracted or copied by any company or individuals without written permission, and cannot be transmitted by any means. Owing to product upgrading or other reasons, information in this manual is subject to change. Hangzhou DPtech Technology Co., Ltd has the right to modify the content in this manual, as it is a user guides, Hangzhou DPtech Technology Co., Ltd made every effort in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind express or implied. iii

4 Table of Contents CHAPTER 1 PRODUCT INTRODUCTION PRODUCT INTRODUCTION WEB MANAGEMENT LOGIN IN TO THE WEB MANAGEMENT INTERFACE WEB INTERFACE LAYOUT 2 CHAPTER 2 SYSTEM MANAGEMENT INTRODUCTION TO THE SYSTEM MANAGEMENT DEVICE MANAGEMENT DEVICE INFORMATION DEVICE STATUS DEVICE CONFIGURATION CLEAR DATABASE SNMP CONFIGURATION INTRODUCTION TO SNMP CONFIGURATION ADMINISTRATOR INTRODUCTION TO ADMINISTRATOR CURRENT ADMINISTRATOR ADMINISTRATOR SETTINGS ADMINISTRATOR AUTHENTICATION SETTINGS LOGIN PARAMETER SETTINGS WEB ACCESS PROTOCOL CONFIGURATION FILE SOFTWARE VERSION 18 CHAPTER 3 NETWORK MANAGEMENT INTRODUCTION TO NETWORK MANAGEMENT INTERFACE MANAGEMENT NETWORK CONFIGURATION VLAN INTERFACE MESSAGE PORT AGGREGATION PORT MIRRORING CONFIGURATION NETWORK OBJECT INTRODUCTION TO NETWORK OBJECT IP ADDRESS MAC ADDRESS SERVICE IPV4 UNICAST ROUTING 36 iv

5 3.5.2 BASIC ROUTING TABLE EQUAL-COST ROUTE BGP RIP OSPF IS-IS GUARD ROUTE MULTICAST ROUTING PIM MULTICAST-ROUTING TABLE POLICY-BASED ROUTING MPLS STATIC FTN/ILM LDP ARP CONFIGURATION DISPLAY ARP STATIC ARP GRATUITOUS ARP DIAGNOSTIC TOOLS PING TRACEROUTE 67 CHAPTER 4 LOAD BALANCING ADVANCED CONFIGURATION SERVER LOAD BALANCING INTRODUCTION TO SERVER LOAD BALANCING REAL SERVICE GROUP REAL SERVICE LOAD BALANCING LINK LOAD BALANCING 74 CHAPTER 5 LOG MANAGEMENT SYSTEM LOG LATEST LOG LATEST LOG LOG FILE OPERATION LOG CONFIGURATION OPERATION LOG LATEST LOG OPERATION LOG QUERY LOG FILE OPERATION LOG CONFIGURATION SERVICE LOG 82 v

6 CHAPTER 6 FIREWALL PACKET FILTERING POLICY INTRODUCTION TO PACKET FILTERING POLICY PACKET FILTERING POLICY INTRODUCTION TO PACKET FILTERING POLICY ALG CONFIGURATION NAT INTRODUCTION TO NAT SOURCE NAT DESTINATION NAT ONE TO ONE NAT ADDRESS POOL ALG CONFIGURATION IPV4 BASIC DDOS PROTECTION DEFEND OBJECT MANAGEMENT CONFIGURATION AND TENDENCY PROTECTION HISTORY SESSION MANAGEMENT SESSION LIST SESSION PARAMETER 98 CHAPTER 7 HIGH AVAILABILITY VRRP HOT STANDBY COOL STANDBY INTERFACE SYNCHRONIZATION GROUP 102 vi

7 List of Figures Figure 1-1 WEB management interface... 2 Figure 1-2 Web Interface Layout... 3 Figure 2-1 System management... 4 Figure 2-2 Device information... 5 Figure 2-3 Device status... 6 Figure 2-4 Device information settings... 7 Figure 2-5 System name... 7 Figure 2-6 System time... 8 Figure 2-7 System threshold... 8 Figure 2-8 System parameter settings... 9 Figure 2-9 Clear database... 9 Figure 2-10 SNMP version configuration Figure 2-11 Device information Figure 2-12 NAT traverse Figure 2-13 IP address list Figure 2-14 Current administrator Figure 2-15 Administrator settings Figure 2-16 Administrator authentication settings Figure 2-17 Login parameter settings Figure 2-18 WEB access protocol Figure 2-19 Configuration file Figure 2-20 Software version Figure 3-1 Network management menu Figure 3-2 Network configuration Figure 3-3 VLAN configuration Figure 3-4 VLAN interface configuration Figure 3-5 Network diagram of VLAN configuration Figure 3-6 Interface message Figure 3-7 Port aggregation Figure 3-8 Logic interface Figure 3-9 Port mirroring configuration Figure 3-10 Security zone Figure 3-11 IP Address object Figure 3-12 IP Address object Figure 3-13 IP address object group Figure 3-14 IP address object cluster Figure 3-15 MAC address Figure 3-16 MAC address Figure 3-17 Predefined service object Figure 3-18 Customized service object Figure 3-19 Service object group Figure 3-20 Configuring static route Figure 3-21 Basic routing table Figure 3-22 Detailed routing table i

8 Figure 3-23 Equal-cost route Figure 3-24 Configuring BGP Figure 3-25 Configuring BGP Figure 3-26 BGP advanced configuration Figure 3-27 Configuring BGP Figure 3-28 BGP neighbor information Figure 3-29 Configuring RIP Figure 3-30 Displays RIP state Figure 3-31 Displays RIP state Figure 3-32 Configuring OSPF Figure 3-33 Configuring OSPF Figure 3-34 Interface configuration Figure 3-35 OSPF interface Figure 3-36 Displaying OSPF neighbor Figure 3-37 Configuring IS-IS Figure 3-38 IS-IS neighbor Figure 3-39 ISIS LSP Figure 3-40 Traceroute Figure 3-41 Configuring IGMP Snooping Figure 3-42 IGMP Snooping Figure 3-43 PIM multicast routing table Figure 3-44 Policy-based routing Figure 3-45 Enable MPLS forwarding function Figure 3-46 Configuring static FTN Figure 3-47 Configuring static ILM Figure 3-48 LDP configuration Figure 3-49 Interface configuration Figure 3-50 Egress configuration Figure 3-51 Authentication configuration Figure 3-52 LDP neighbor information Figure 3-53 LDP session Figure 3-54 LIB basic information Figure 3-55 Network diagram of MPLS configuration Figure 3-56 Display ARP Figure 3-57 Static ARP Figure 3-58 Network diagram for configuring static ARP entries Figure 3-59 Gratuitous ARP Figure 3-60 Ping Figure 3-61 Traceroute Figure 4-1 Load balancing Figure 4-2 Advanced configuration Figure 4-3 Virtual service Figure 4-4 Real service group Figure 4-5 Virtual service Figure 4-6 Virtual service Figure 5-1 Latest log Figure 5-2 System log query ii

9 Figure 5-3 System log file operation Figure 5-4 Log configuration Figure 5-5 Latest log Figure 5-6 Operation log query Figure 5-7 System log file operation Figure 5-8 Operation log configuration Figure 5-9 Service log Figure 6-1 Packet filtering policy Figure 6-2 Packet filtering policy Figure 6-3 Address pool Figure 6-4 Source NAT Figure 6-5 Destination NAT Figure 6-6 One to one NAT Figure 6-7 Address pool Figure 6-8 Alg configuration Figure 6-9 Defend object management Figure 6-10 Traffic and status monitoring Figure 6-11 DDOS defend settings Figure 6-12 Protection history Figure 6-13 Global DDOS TCP configuration Figure 6-14 ICMP Figure 6-15 Global DDOS UDP configuration Figure 6-16 Global DDOS log Figure 6-17 Session list Figure 6-18 Session parameter Figure 7-1 High availability Figure 7-2 VRRP configuration Figure 7-3 Monitory IP address object Figure 7-4 Hot standby Figure 7-5 Cool standby Figure 7-6 Interface synchronization group iii

10 List of Tables Table2-1 Device information... 5 Table2-2 Device status... 6 Table2-3 System threshold configuration items... 8 Table2-4 Administrator management features Table2-5 Current administrator list Table2-6 administrator settings list Table2-7 Administrator authentication setting Table2-8 Login parameter settings Table2-9 WEB access protocol configuration item Table2-10 Configuration file Table2-11 Software version list Table3-1 Network configuration Table3-2 VLAN configuration items Table3-3 VLAN interface configuration Table3-4 Port aggregation group Table3-5 Port mirroring configuration Table3-6 Port mirroring configuration Table3-7 Security zone Table3-8 IP address object Table3-9 IP address object Table3-10 IP address object group Table3-11 IP address object cluster Table3-12 Predefined service object Table3-13 Basic routing table Table3-14 Detailed routing table Table3-15 System configuration Table3-16 BGP configuration Table3-17 RIP protocol configuration Table3-18 Displays RIP state Table3-19 OSPF area configuration Table3-20 OSPF interface configuration Table3-21 OSPF interface Table3-22 Displaying OSPF neighbors Table3-23 IS-IS advanced configuration Table3-24 IS-IS interface configuration Table3-25 IS-IS neighbor Table3-26 ISIS LSP Table3-27 IGMP protocol configuration Table3-28 Multicast routing table Table3-29 Policy-based routing Table3-30 Policy-based routing Table3-31 Static FTN configuration items Table3-32 Static ILM configuration item i

11 Table3-33 System configuration Table3-34 Interface configuration Table3-35 Egress configuration Table3-36 Authentication and policy configuration Table3-37 LDP neighbor information Table3-38 LDP session information Table3-39 LIB basic information Table3-40 Current ARP entries Table3-41 Current ARP entries Table3-42 Gratuitous ARP Table3-43 Traceroute Table4-1 Advanced configuration Table4-2 Basic configuration of virtual service Table4-3 Advanced configuration of virtual service Table4-4 Advanced configuration of virtual service Table4-5 Real service configuration items Table5-1 Latest log Table5-2 System log searching conditions Table5-3 System log file operation Table5-4 System log configuration items Table5-5 Latest log configuration items Table5-6 Operation log query configuration items Table5-7 Operation log file configuration items Table5-8 Operation log configuration items Table5-9 Service log configuration Table6-1 packet filtering policy Table6-2 Packet filtering policy Table6-3 Configuring action Table6-4 packet filtering policy Table6-5 Alg configuration Table6-6 Source NAT configuration Table6-7 Destination NAT configuration Table6-8 One to one NAT configuration Table6-9 Address pool configuration Table6-10 Alg configuration Table6-11 Defend object management Table6-12 Traffic and status monitoring Table6-13 DDOS defend settings Table6-14 Session list Table7-1 VRRP configuration items Table7-2 Monitor IP address object Table7-3 Hot standby configuration Table7-4 Hot standby configuration Table7-5 Hot standby configuration ii

12 Chapter 1 Product Introduction 1.1 Product introduction With data center and Internet application development, we found that even if network infrastructure is good, such as 10G switching, 1G routing and fiber cabling, it more or less emerges low speed access and low stability problems in key application. In the past, we solve the problems by using layer 4 load balancing device to manage flow and share service on network exit link and data center. While network application complicated, new application is increasing, such as Web2.0, VoIP, stream media, and traditional layer 4 load balancing device mainly care about network layer stability, not the application layer delivery process. Therefore, it can t provide comprehensive, fast, available and security application delivery capability for users. Upgraded and expanded from traditional layer 4 load balancing device, DPtech ADX3000 series application delivery platform integrate load balancing, application optimization and security protection function distribute access requests from client to data center servers reasonably through dozens of health check and load balancing scheduling algorithm, so that it can ensure data center respond speed and continuity, greatly promoting server effect and elasticity. Through static entry matching and dynamic link detection technology, DPtech ADX3000 series application delivery platform can detect and monitor the status of several links in real time which ensure flow distributed to different links reasonable and fast. And through TCP optimizing, TCP multiplexing, and SSL unloading/accelerating, compressing, and caching technology to enhance user access speed and application experience. Through DDoS protection, it can ensure data center continuous availability. DPtech ADX3000 series application delivery platform support routing, high density port, 10G port and NAT, DR, link and sandwich network mode, easily to be controlled and managed. DPtech ADX3000 series application delivery platform eliminate the isolation of network and application, which satisfy the enlarging scale of network users and higher requirement for the application service, enhance user access speed and access security and 7 24 uninterrupted stabitlity, greatly reduce operation cost. First 100G application delivery platform in the industry, with strong process capacity and comprehensive application delivery capability, and large amount interfaces, DPtech ADX3000 series application delivery platform can be applied to the data center and network exit in all kinds of industries and network operators, providing service reliability, enhancing service respond speed and creating your business value conveniently and flexibly. 1.2 WEB management Login in to the Web Management Interface This section introduces how to log in to the web management interface: Make sure that the host can communicate with the management port of the ADX. Open an IE browser and access the IP address of the management port using HTTP. Enter username and password in the interface shown in Figure 1-1 and click login to access the Web management interface of the ADX device. 1

13 Figure 1-1 WEB management interface! Note: It is recommended that you should use IE 6.0 or higher. The resolution should be 1024 x 768 or higher. <Backward>, <Forward> and <Refresh> are not supported on the Web management interface. If you use these buttons, the Web page may not be displayed properly. By default, the name of the management port is meth0_0, and the IP address is Both of the default username and the default password are admin. You can use the default username for the first login, but it is strongly recommended that you should change your password. For how to change your password, see the Section xxxx. After you log in, if you don t perform any operations within 5 minutes, the connection will timeout and go back to the login page. Up to 5 administrators are allowed to log in to the Web management interface at the same time Web Interface Layout Figure1-2 shows the main page of the Web management interface of the ADX device. 2

14 Figure 1-2 Web Interface Layout (1)Navigation bar (2)Shortcut area (3)Configuration area Navigation bar: Lists all of the Web management function menus. You can choose the desired function menu, which is shown in the configuration area. Shortcut area: Shows the directory of the current page, as well as the status of the device. This area also provides function buttons, including Collapse, Homepage, Restart, Help and Logout. Configuration area: Provides an area for configuring and viewing the device. 3

15 Chapter 2 System Management 2.1 Introduction to the system management System management provides system management function for users, including Device management Administrator Configuration file Signature database Software version NTP configuration Virtual system VRF Digital certificate Hot standby SNMP TR069 (SWMP) Select ADX > System management from navigation tree to enter system menu, as shown in Figure 2-1. Figure 2-1 System management 2.2 Device management Device information Device information helps users to understand the information of the system and device, displays system name, time and time zone, memory, external memory, serial number, PCB hardware version, software version, the factory default management interface, CPLD hardware version, Conboot version and power of the current system. Select ADX > System management > Device management > Device information from navigation tree to enter device information interface click, as shown in Figure

16 Figure 2-2 Device information Table2-1 describes the details of device information field. Table2-1 Device information System name System time System time zone Memory External memory size Serial number PCB hardware version Software version Default management interface information CPLD hardware version Conboot version Power Displays the system name Displays the system current time Displays the system time zone Displays the memory capacity Displays the external memory type and capacity Displays the hardware serial number Displays the PCB hardware version Displays the information about system software version Displays the default management interface name and IP address Displays the CPLD hardware version Displays the Conboot basic segment version Displays the power of device power supplies Note: After you logging in into web management interface, the homepage you can see is the Device information interface. 5

17 2.2.2 Device status Device status function is used to display the current status of the system, helps user understand the usage of CPU, memory, disk and CF card and working status of fans and power supplies, and the CPU, mainboard temperature. Select ADX > System management > Device management > Device status from navigation tree to enter device status interface, as shown in Figure 2-3. Figure 2-3 Device status Table2-2 describes the details of device status. Table2-2 Device status CPU usage Displays real-time CPU usage When CPU usage exceeding threshold, it displays red light; Or else, it displays green light Memory usage Displays real-time memory usage When memory usage exceeding threshold, it displays red light; Or else, it displays green light Hardware usage Displays real-time hardware disk usage When hardware usage exceeding threshold, it displays red light; Or else, it displays green light CFcard usage Displays real-time CF card usage When CF card usage exceeding threshold, it displays red light; Or else, it displays green light Fan status Displays the current status of fans When fan broken down, it displays red light; Or else, it displays green light Power status Displays the current status of power supply When power supply broken down, it displays red light; Or else, it displays green light CPU temperature Displays the current temperature of CPU When power supply broken down, it displays red light; Or else, it displays green light Mainboard temperature Displays the current temperature of mainboard When mainboard broken down, it displays red light; Or else, it displays green light 6

18 Note: When you put your mouse pointer on the indicator light, you can view the real-time data of device status. On the upper side of WEB configuration interface, it displays the CPU, memory usage, and fan, power supply working status Device configuration Device information settings Device information settings allow you to set the system name, system time, and system threshold. Select ADX > System management > Device management > Device configuration from navigation tree to enter device configuration interface, as shown in Figure 2-4. Figure 2-4 Device information settings System name function allows you to configure the system name so that it can be easily managed. Select ADX > System management > Device management > Information settings from navigation tree to enter device information settings interface, as shown in Figure 2-5. Figure 2-5 System name To modify the system name item: Select Information settings tab and type in the reconfigured system name. 7

19 Click Ok button in the upper right corner on the webpage. After that, new settings take effect immediately. System time function allows you to configure the system time and synchronize with current time Select ADX > System management > Device management > Device information settings from enter device information settings interface and then you can view the system name configuration, as shown in Figure 2-6. Figure 2-6 System time To modify the system time items: You can select Information settings tab and type in the reconfigured zone, data and time. Click Ok button in the upper right corner on the webpage. After that, new settings take effect immediately. System threshold function can help users understand the system hardware usage and temperature threshold. Select ADX > System management > Device management > Device information settings from navigation tree to enter device information settings interface and then you can view system threshold configuration, as shown in Figure 2-7. Figure 2-7 System threshold Table2-3 describes the system threshold configuration items Table2-3 System threshold configuration items 说明 CPU usage threshold Memory usage threshold Hardware usage threshold CPU temperature threshold Mainboard temperature threshold Allows you to set CPU usage threshold Allows you to set memory usage threshold Allows you to set hardware usage threshold Allows you to set the lower limit and upper limit for the CPU temperature threshold Allows you to set the lower limit and upper limit for the mainbaord temperature threshold To modify the system threshold item: 8

20 You can select the Information settings tab Reconfigure the system threshold in correct place Click Ok button in the upper right corner on the webpage. After that, new settings take effect immediately.! Note: Please properly set the system threshold according to hardware specification. If there is no special requirement, please adopt the default. The indicator light turn to red from green when device hardware usage and CPU, mainboard temperature exceeding threshold. Please contact administrator to solve the problem System parameter settings System parameter settings provides packet transmitting specification configuration for users, including fast forwarding parameter settings, high-end session parameter settings, TCP session parameter settings, UDP session parameter settings, drive queue parameter settings, checksum check, high-end mode settings, DPI depth, DDOS parameter settings. Select ADX > System management >Device management > System parameter settings from navigation tree to enter system parameter settings interface, as shown in Figure 2-8. Figure 2-8 System parameter settings Clear database Clear database provides users with database clearing function for users. When you click the clear database and restart button, the system will be cleared and rebooted. Select ADX > System management >Device management > System parameter settings from navigation tree to enter clear database interface, as shown in Figure 2-9. Figure 2-9 Clear database 9

21 2.3 SNMP configuration Introduction to SNMP configuration SNMP is an application-layer protocol that provides a message format for communication between managers and agents SNMP version configuration Select ADX > System management > SNMP configuration from navigation tree to enter SNMP configuration interface, you can view SNMP version configuration, as shown in Figure SNMP version configuration allows you to select a SNMP version and set the SNMP version parameter settings. At present, it supports SNMPv1, SNMPv2c and SNMPv3 version. Figure 2-10 SNMP version configuration SNMP version configuration: Select SNMP tab Select SNMP version and configure the SNMP version parameter settings, including read community string and read write community string. Click Ok button in the upper right corner on the webpage..after that, new settings take effect immediately Device information Device information provides device information configuration function for users. Select ADX > System management > SNMP configuration from navigation tree to enter SNMP configuration interface, you can view device information function, as shown in Figure Figure 2-11 Device information To configure device information: Select SNMP tab Configure the device information, including device location, contact information and trap destination host and send trap when configure items 10

22 Click Ok button in the upper right corner on the webpage. After that, new settings take effect immediately NAT traverse NAT traverse provides NAT traverse primary channel and command channel configuration for users. Select ADX > System management > SNMP configuration from navigation tree to enter SNMP configuration interface, you can view NAT traverse function, as shown in Figure Figure 2-12 NAT traverse To configure NAT traverse function: Select SNMP from navigation tree to enter SNMP channel interface Select NAT traverse channel and set the configuration information, including managed device source port and management server IP, management server port and time interval Click Ok button in the upper right corner on the webpage. After that, new settings take effect immediately IP address list IP address list function allows a certain administrators access MIB according to which IP address you added into the IP address list. Select ADX > System management > SNMP configuration from navigation tree to enter SNMP configuration interface, you can view IP address list function, as shown in Figure Figure 2-13 IP address list To configure IP address list: Select SNMP from navigation tree to enter SNMP interface Enter an IP address or an IP segment, such as /32 or /24, a And then click the Add button Finally, Click Ok button in the upper right corner on the webpage. After that, new settings take effect immediately. 11

23 2.4 Administrator Introduction to administrator Administrator module provides administrator management functions, which allows you to add, modify and delete an administrator. Users can login into web management interface with different permission and different authentication methods and users can select web access protocol and port. Table2-4 describes the details of administrator management features. Table2-4 Administrator management features Current administrator Administrator settings You can view the current administrator who has logged into the system. The current administrator you ve used to login can kick out other administrators. Allows you to add or delete an administrator and modify the password. Also, it allows you to set the configure range for the administrator who has not logged into the system and allows you to modify the administrator status expect the administrator you ve used to login. Administrator settings authentication Allows you to configuration administrator authentication settings, including local authentication settings and Radius authentication settings. Login parameter settings Allows you to configure the login parameter settings, including timeout settings, login lock settings and unlock time and password strength settings Current administrator Current administrator function allows you to view the current administrator who has logged into the system. Select ADX > System management > Administrator > Administrator from navigation tree to enter the administrator interface, as shown in Figure Figure 2-14 Current administrator Table2-5 describes the current administrator list. Table2-5 Current administrator list Administrator Displays the name of current administrator 12

24 Login time Last access time Login IP address Displays the specific time of current administrator Displays last time when you access to the web interface Displays the login IP address of current administrator Operation Click the kick out icon to quit the current administrator Administrator settings Administrator settings functions allow you to add and modify and delete an administrator. Select ADX > System management > Administrator > Administrator from navigation tree to enter the administrator settings interface, as shown in Figure Figure 2-15 Administrator settings Table2-6 describes the details of administrator settings list. Table2-6 administrator settings list Administrator You can view the name of administrator which created in the system. Administrator name composed of letters with case sensitive, number and special character. _ -. It must begin with letter or number, and the length is 3 characters to 20 characters. Password Allows you to set the password when you logging into the device. Administrator password composed of letters with case sensitive and allows to use special character, such as ()-+= []:;/_, the length is 3 characters to 128 characters. Confirm password Password and confirm password must be same. If not, the system will prompt you when you submit the setting. Allows you to set description for an administrator. Administrator description composed of letter, number, space and special characters._ -, the length is 0 to 40 characters. Permission Allows you to set administrator permission. Different administrator login into the device with different permission. 13

25 Status Allows you to set administrator status, including lock status or normal status Lock: means that the administrator has been locked, you cannot login into the WEB interface Normal: means that the administrator isn t locked, you can login into the WEB interface. Operation Click the delete icon to delete an administrator. To add an administrator: Click the copy icon. In the new line, you can configure administrator settings, including administrator name, password, confirm password and description. Select option in the configure authority column, including super, system configuration, business configuration, and log configuration, which allows administrator to access to web with different authority. Click Ok button in the upper right corner on the webpage To modify an administrator: Select an administrator which you want to modify If you want to modify the administrator password, please move your mouse pointer to the password that the mouse pointer becomes an icon, click the password and then modify the password. Password and confirm password must be same Click Ok button in the upper right corner on the webpage If you want to modify other administrators, you can repeat the above steps. To delete administrator: Select an administrator which you want to delete In the operation column, click the Delete icon to delete an administrator Click Ok button in the upper right corner on the webpage! Note: The default password can not be used when you add an administrator, please set the password according to the rule of administrator settings. When you add an administrator, you cannot lock it. By default, when you add an administrator, it is in normal status. If you want to lock administer, you only can after you ve successfully created it. The system will prompt you when you delete an administrator, please delete an administrator carefully Administrator authentication settings Administrator authentication settings allow you to select a kind of authentication for the administrator to login into WEB management interface, including local authentication and Radius authentication. 14

26 Select ADX > System management > Device management > Device information settings from navigation tree to enter administrator interface and then you can view the administrator authentication settings, as shown in Figure Figure 2-16 Administrator authentication settings Table2-7 describes the details of Administrator authentication settings Table2-7 Administrator authentication setting Local authentication Radius authentication Authenticates administrator s username and password through device. Authenticate administrator s username and password through Radius server. You should configure the following administrator authentication settings: Server IP address Authentication port number Shared key Authentication packet time-out time Authentication packet retransmission times The group to which a radius authentication user belongs Radius authentication rights Login parameter settings Login parameter settings include the timeout setting, the login lock setting, and the unlock time settings, password strength setting. Select ADX > System management > Device management > administrator from navigation tree to enter administrator interface and then you can view the login parameter settings, as shown in Figure

27 Figure 2-17 Login parameter settings 错误! 未找到引用源 describes the details of login parameter settings. Table2-8 Login parameter settings Timeout settings Allows you to set the timeout time for the current login administrator If you don t perform anything on the WEB interface within timeout time, system will kick out the administrator. Login lock settings Unlock time If you type in the error password for several times, the administrator will be locked. Allows you to set the unlock time for administrator Lock: mean that you selected the unlock time is the specific time for an administrator who has been locked. When the time arrives, the locked administrator will unlock. Lock forever: means that if an administrator has locked, the administrator cannot unlock by itself. It only can be modified by the administrator who has system configuration authority to modify administrator status in the administrator settings list. Password strength settings Allows you to select a level for password strength, including high level, medium level, and low level.! Note: If an administrator has locked, whether you type in correct password or not, the system will prompt you that user has been lock, please try again WEB access protocol In Web access protocol interface, you can set the web access protocol and port for login administrator. Select ADX > System management > Administrator > Web access protocol from navigation tree to enter WEB access protocol, as shown in Figure

28 Figure 2-18 WEB access protocol Table2-9 describes the configuration items of WEB access protocol. Table2-9 WEB access protocol configuration item HTTP settings HTTPS settings Allows you to enable HTTP protocol and enter the port number Allows you to enable HTTPS protocol and enter the port number If the system has digital certificate, you can enable the administrator certificate authentication function to enhance WEB security. IP address list Allows you to configure IP address range for administrator to login into web management interface. 2.5 Configuration file Configuration file module provides that user can save the current configuration file to the local system. Through this function, if there are several devices in the network with same configurations, user can configure one of the devices and export configuration file to local system, and then import the configuration from local system, so that it can avoid user to repeat this operations. Select ADX > System management > Configuration file from navigation tree to enter configuration file interface, as shown in Figure Figure 2-19 Configuration file 17

29 Table2-10 describes the details of configuration file Table2-10 Configuration file Configuration file Displays the name of configuration file The first line of configuration file table displays factory default configuration file Last saved Software version Operation Displays the last time when you save the configuration file Displays the software version number that you saved the last time Allows you to save, export, switch and delete configuration file. In the operation column, you can click the save icon to save your configuration file, click the export icon to export configuration file, click the switch icon to switch configuration file, and click icon to delete configuration. To create a configuration file: Click the New config icon in the upper right corner In the new line, you can enter a name for the configuration file and click Save icon To import from local system and apply the application file: Click Browse button which beside file path and then select a configuration file and click Download button And then, the imported configuration file displays in the configuration list, and then click the switch icon System prompt you that switch configuration, after that, system will restart, continue?, and then click Ok button Note: If you want to save, export or delete configuration file, you can click the save icon, export icon, and delete icon. Please refer to the above steps to save, export and delete configuration file. 2.6 Software version Software version function provides that you can manage software version and update software version for a device. Select ADX > System management > Software version from navigation tree to enter software version interfaces, as shown in Figure

30 Figure 2-20 Software version Table2-11 describes the details of software version list. Table2-11 Software version list Image name Image version number Current status Displays software version name Displays software version number Displays software version current status, including in use status and others status Operation Click the save button that you can save a software version on your computer, and click the delete button that you can delete a software version. You cannot delete the in use software version. File path To download a software version, click Browse button and then select a software version and then click the Download image button. To download a software version from local system and apply it: Click the Browse button which beside file path and select a software version, click Download image button Then the software version displays in the software version list. And then you can move your mouse pointer to the next boot software version, then your mouse pointer became pencil icon. And then click mouse, you can view a drop-down list of software version Select a software version for the next boot, which is the software version you download After you finish the above steps, click Ok button in the upper right corner. New software version takes effect after you reboot the device 19

31 Chapter 3 Network management 3.1 Introduction to network management Network management module provides network relevant function for users. The Network management functions provided as follows: Interface management Port mirroring Network object IPv4 unicast routing Multicast routing Policy-based routing MPLS ARP Diagnose tool Select ADX > Network management > Interface management from navigation tree access to the network management menu, as shown in Figure 3-1. Figure 3-1 Network management menu 20

32 3.2 Interface management Network configuration Network configuration function allows you to view and configure the device interfaces. Select ADX > Network management > Network configuration from navigation tree enter the network configuration, as shown in Figure 3-2. Figure 3-2 Network configuration Table3-1 describes the configuration items of network configuration. Table3-1 Network configuration Name Displays the name of the interface (The red down arrow means the interface isn t connected and the green up arrow means the interface is connected. By default, all interfaces is in VLAN1) Operating mode Allows you to configure the interface working mode. When you select layer 2 interface for the interface, you should assign the interface to which VLAN belongs, and when you select layer 3 interface for the interface, you should configure an IP address for the VLAN (vlan-if1) interface Type IP settings VLAN settings Enable/disable Allows you to select the interface to which type belongs (such as WAN, LAN, management interface). When you select layer 2 interface for the interface, you can select access or trunk mode for the interface Allows you to configure the interface configuration and allows you to set an IP address for the VLAN interface Allows you to select the interface to which VLAN belongs Allows you to enable or disable the interface 21

33 Valid IP address/ Mac address Displays the effective IP address of the interface(when you select layer 2 interface for the interface, there is no effective IP address) To set the interface configuration: Select an interface Select working mode for the interface. The working mode includes layer 3 interface and layer 2 interface If you select layer 3 interface working mode, you should select the interface to which type belongs and you should set an IP address for the interface If you select layer 2 interface working mode, you should select the interface to which VLAN belongs and you should configure the default VLAN Click Ok button in the upper right corner VLAN VLAN Select ADX > Network management > VLAN from navigation tree to enter VLAN interface, as shown in Figure 3-3. Figure 3-3 VLAN configuration Table3-2 describes the configuration items of VLAN Table3-2 VLAN configuration items Add VLANs You can add one VLAN or several VLANs. To add VLAN, you can click the Add VLANs button and then enter VLAN start VLAN ID number and end VLAN ID number Delete VLANs You can delete one VLAN or several VLANs. To delete VLAN, you can click the Delete VLANs button and then enter start VLAN ID number and end VLAN ID number VLAN ID Name Displays the sequence number of the VLAN ID Displays the name of the VLAN Display the description of the VLAN 22

34 Type Included port Displays the VLAN to which type belongs. By default, it is static VLAN Displays the port to which VLAN belongs (after you configure the VLAN for the interface ) To add VLAN in batch: Click Add VLANs button Enter the start number and end number Click Ok button in the upper right corner on the webpage VLAN interface configuration Select ADX > Network management > VLAN interface configuration from navigation tree enter VLAN interface configuration interface, as shown in Figure 3-4. Figure 3-4 VLAN interface configuration Table3-3 describes the configuration items of VLAN interface configuration. Table3-3 VLAN interface configuration Name Operating mode Type IP settings Enable/Disable Valid IP/MAC address Allows you to view the name of the VLAN Allows you to view the working mode of VLAN configuration Allows you to view the type of the VLAN interface Allows you to configure an IP address for the VLAN interface Allows you to enable or disable the VLAN interface Allows you to view the IP/MAC address! Note: VLAN ID start number must be no less than end number. And the VLAN ID should not duplicate. 23

35 Figure 3-5 Network diagram of VLAN configuration Interface message Select ADX > Network management > Interface message from navigation tree enter interface message interface, as shown in Figure

36 Figure 3-6 Interface message Port aggregation Port aggregation Through web management interface, users can manually create aggregation group and add the port into aggregation group. Select ADX > Interface > Port aggregation from navigation tree to enter port aggregation interface, as shown in Figure 3-7. Figure 3-7 Port aggregation Table3-4 describes the configuration items of port aggregation. Table3-4 Port aggregation group Serial number Aggregation group ID Aggregation group name Aggregation group type Displays the serial number of the port aggregation group Displays the port aggregation group ID (only allows you to use number) Displays the name of the aggregation group For the aggregation group, select a type which includes static aggregation and dynamic aggregation. 25

37 Port list Select physical port for the aggregation group. Operation Click the Click the copy icon to create an aggregation group. delete icon to delete the aggregation group To configure the port aggregation configuration: Enter the aggregation group ID number For the aggregation group, select a type which includes dynamic type and static type Select which port included in the aggregation group Click the Ok button in the upper right corner on the webpage Port aggregation configuration Port aggregation group status is used to display port aggregation group status. Select ADX > Network> Interface management from navigation tree to enter logic interface, as shown in Figure 3-8. Figure 3-8 Logic interface Table3-5 describes the details of mirroring port configuration. Table3-5 Port mirroring configuration Subinterface name Displays the name of the subinterface Subinterface type Allows you to select a kind of interface for the subinterface, including layer 3 interface and layer 2 interface (access) VLAN ID Interface name Interface ID Displays the sequence number of the VLAN ID Displays the name loopback interface Allows you to configure the interface ID Allows you to configure description for the loop interface Operation Click the copy icon to copy an interface 26

38 Click the delete icon to delete an interface 3.3 Port mirroring configuration Through web management interface, users can configure the port mirroring configuration. Select ADX > Interface > Port mirroring from navigation tree to enter port mirroring configuration interface, as shown in Figure 3-9. Figure 3-9 Port mirroring configuration Table3-6 describes the details of port mirroring configuration. Table3-6 Port mirroring configuration Serial number Mirrored ID group Mirrored group description Source port Destination port Mirrored packet direction Displays the serial number of port mirroring Displays the mirrored group ID Displays the description of mirrored group Displays the mirroring source port Displays the mirroring destination port. Displays the mirrored packet direction, including bidirection, inbound direction and outbound direction. Operation Click the copy icon, and then you can add port mirroring configuration. Click the configuration. delete icon, and then you can delete port mirroring To configure port mirroring configuration: Please enter a mirroring group ID And then you can enter mirroring group description Specify the source port of mirroring port 27

39 Specify the destination port of mirroring port Configure the mirrored packet direction, including bidirection, out direction and in direction. Click the Ok button on the upper right corner. 3.4 Network Object Introduction to network object Network object provides users with the security zone management function, address object, service object. The security zone means the network and the network which connect, In DPX system, it predefines three kind of security zone, including trust zone, untrust zone, and DMZ zone. Each zone representatives a security level, from high level to low level, they are trust, untrust and DMZ. Trust representative the private network. Trust representative public network or insecurity network. Demilitarized Zone (DMZ) is relatively independent security zone. Between outside network and inside network, the DMZ neither belongs to the inside network nor to the outside network. For example, in an e-business network, the hosts require to connect outside, such as Web server, FTP server and mail server. For providing best service reason, DMZ protects the inside network, but also isolate the hosts which connecting outside network from inside network host, which is putting the hosts into DMZ. Thus, DMZ provides firewall policy to the hosts and the hosts which connect outside. In the mean while, it provides the service to outside network, extremely protect the inside network Security zone Select ADX> Network > Network object> Security zone from navigation tree to enter security zone interface, as shown in Figure Figure 3-10 Security zone Security zone configuration Table3-7 describes the details of security zone. Table3-7 Security zone Serial number Displays the serial number. 28

40 Zone name Interface Priority Displays the security zone. Displays the interface to which add in the zone (When the interface belongs to a vlan, it should add into vlan interface). Displays the security priority (By default, the security zone with high priority can visit the security zone with low security. Displays the description for the security zone (optional). Option Click the Click the copy icon, and then you can copy the rule. delete icon, and then you can delete the rule. To configure security zone: Select an interface in the security configuration item. Click Ok button on the upper right corner. To create a security zone: Click the copy icon Type in security zone name, and then select an interface, and then input the new security zone priority. Enter the created security zone description (optional) Click Ok button in the upper right corner on the webpage IP address IP address Select ADX > Network > Network object> IP address > IP Address from navigation tree to enter the IP address object interface, as shown in Figure Figure 3-11 IP Address object 29

41 Table3-8 describes the details of IP address object. Table3-8 IP address object Serial number Name Content Policy reference Displays the serial number of IP address. Displays the name of IP address. Displays the IP address scope and exceptional IP address. Displays the description of IP address. Displays the IP address policy reference Operation Click the copy icon, and then you can copy the IP address configuration item. Click the delete icon, and then you can an IP address configuration item. To create IP address Click the copy icon (except the first line) Enter name and description Enter address description (optional) Click Ok button in the upper right corner IP address group Select Main >DPX> Network > Network object> IP address > IP Address object from navigation tree to enter the IP address object interface, as shown in Figure Figure 3-12 IP Address object Figure 3-9 describes the details of IP address object. 30

42 Table3-9 IP address object Serial number Name Content Policy reference Displays the serial number of IP address. Displays the name of IP address. Displays the IP address scope and exceptional IP address. Displays the description of IP address. Displays the IP address policy reference Operation Click the Click the copy icon, and then you can copy the IP address configuration item. delete icon, and then you can an IP address configuration item. To create IP address Click the copy icon (except the first line) Type in the address name and description Type in the address description (optional) Click Ok button on the right IP address group Select ADX> Network > Network object> IP address >IP address group from navigation tree to enter IP address group interface, as shown in Figure

43 Figure 3-13 IP address object group Table3-10 describes the details of IP address object group. Table3-10 IP address object group IP address object IP address object group Displays all the IP user group created in the address object Creating an IP address group and then add the IP address object into the address object group To create IP address object group: Click the button on the right side of address object group, and then type in the name. Select an IP address in the address object and then drag it into the address object group table. Click the OK button on the upper right.! Caution: Click the Click the pencil icon and then you can modify the copied address object group name. delete icon and then you can delete the copied address object group IP address cluster Select ADX> Network > Network object > IP address > IP address object cluster from navigation tree to enter IP address object group interface, as shown in Figure

44 Figure 3-14 IP address object cluster Table3-11 describes the details of IP address object cluster. Table3-11 IP address object cluster IP address group IP address object cluster Displays all the IP user group created in the address object cluster Creating an IP address cluster and then add the address object group into the address object cluster To create an IP address object cluster: Click the button on the right side of address object group, and then type in the name. Select a group in the address object group table and then drag it into the address object cluster table. Click the OK button on the upper right.! Caution: Click the Click the pencil icon and then you can modify the copied address object cluster name. delete icon and then you can delete the copied address object cluster MAC address MAC address is to divide the network users into groups as MAC address. 33

45 MAC address Select ADX> Network > Network object > MAC address from navigation tree to enter MAC address interface, as shown in Figure Figure 3-15 MAC address MAC address group Select ADX> Network > Network object > MAC address from navigation tree to enter MAC address interface, as shown in Figure Figure 3-16 MAC address Service The service module provides three function, they are pre-defined service object, customize service object and service object group. The pre-defined service function allows user to view the system pre-defined object. The customize service function allows user to configure the service object as user s requirement. The service object group is to form the services into groups, which is easy to be managed Predefined service object Select ADX> Network > Network object > Predefined service object from navigation tree to enter the predefined service interface, as shown in Figure

46 Figure 3-17 Predefined service object Table3-12 describes the details predefined service object Table3-12 Predefined service object Serial number Service name Service content Displays the sequence number of the pre-defined service object Displays the name of the pre-defined service object Displays the content of predefined service object Displays the description of the Customized service object Select ADX> Network > Network object > Customized service object from navigation tree to enter the customized service object interface, as shown in Figure Figure 3-18 Customized service object Service object group Select ADX> Network > Network object > Service object group from navigation tree to enter the service object group interface, as shown in Figure

47 Figure 3-19 Service object group 3.5 IPv4 Unicast routing Configuring static route function provides users with batch configure the static route and manual configure static route. Select ADX > Network > IPv4 unicast routing > Configure static route from navigation tree to enter IPv4 unicast routing interface, as shown in Figure Figure 3-20 Configuring static route To batch configure the static route: Click the Browse button and then select a configuration file from local system. Click the Ok button and then you can batch import static route immediately. Click the Export CSV file button, and then you can export all static route terms. To configure the static route manually: Set the destination subnet IP address, subnet mask. Select outbound interface and configuring next hop address in the network gateway (next hop) row Select route priority, type and weight in the advanced configuration row. 36

48 After you click the OK button, the manually created static routes take effect immediately Basic routing table Displays basic routing table Basic routing table provides users with the querying basic routing table function. Users can search the routing table as all routes or specific destination segment. Select ADX > Network > IPv4 unicast routing > Display basic routing table from navigation tree to enter IPv4 unicast routing interface, as shown in Figure Figure 3-21 Basic routing table Table3-13 describes the details of basic routing table. Table3-13 Basic routing table Destination subnet Subnet mask Gateway(Next hop) Outbound interface Allows you to view the destination subnet IP address. Allows you to view the destination subnet IP address and subnet mask. Allows you to view the network gateway (Next hop) address. Allows you to view the static route outbound interface Display detailed routing table Display detailed routing table allows user to view the detailed information of routing table and allows user to select an option to query the routing table, including All routes, Specify a destination segment and Specify a protocol option. Select ADX > Network > IPv4 unicast routing > Display basic routing table from navigation tree to enter IPv4 unicast routing interface, as shown in Figure

49 Figure 3-22 Detailed routing table Table3-14 describes the details of the detailed routing table. Table3-14 Detailed routing table Destination subnet Subnet mask Gateway (Next hop) Outbound interface Status Protocol Priority cost Type Allows you to view the destination subnet IP address. Allows you to view the destination subnet mask. Allows you to view the gateway (next hop) IP address. Allows you to view the static route outbound interface. Allows you to view the static route active state. Allows you to view the protocol of static route, there age five protocols including static, connect, rip, ospf, bgp, guard. Allows you to view the static route priority. Allows you to view the static route cost. Allows you to view the static route type Equal-cost route Select ADX > Network > Unicast routing>equal-cost route from navigation tree to enter equal-cost route table, as shown in Figure Figure 3-23 Equal-cost route 38

50 3.5.4 BGP The Border Gateway Protocol (BGP) is a dynamic inter-as Exterior Gateway Protocol. A router advertising BGP messages is called a BGP speaker. It establishes peer relationships with other BGP speakers to exchange routing information. When a BGP speaker receives a new route or a route better than the current one from another AS, it will advertise the route to all the other BGP peers in the local AS Configuring BGP Select ADX > Network > IPv4 Unicast routing> Configuring BGP from navigation tree to enter the configuring BGP interface, as shown in Figure Figure 3-24 Configuring BGP System configuration Select ADX > Network > IPv4 Unicast routing> Configuring BGP from navigation tree to enter the configuring BGP interface, and then you can view the system configuration, as shown in Figure Figure 3-25 Configuring BGP 错误! 未找到引用源 describes the details system configuration. Table3-15 System configuration Enable BGP AS-ID Enable BGP. Specify a local AS number. Advanced configuration: 39

51 Select ADX > Network >IPv4 Unicast routing > Configuring BGP from navigation tree to enter the configuring BGP interface, and then you can view the advanced configuration, as shown in Figure Figure 3-26 BGP advanced configuration Figure 3-27 Configuring BGP Route priority Allows you to configure the route priority. By default, route priority is 120 Router update timer Router aging timer Garbage recollection timer Non-direct timer Redistribute a route Allows you to configure the router update timer. By default, router update timer is 30 Allows you to configure the router aging timer. By default, router aging timer is 180 Allows you to configure the garbage recollection timer. By default, garbage collection timer is 120 Enter an IP address for the non-direct timer and then click Add button to add the IP address into the right box. To delete the IP address, click Delete button Allows you to select which kind of route to redistribute To configure BGP advanced configuration: Click Enable BGP selection box Enter AS-ID number, such as 1 Click advanced configuration to configure BGP advanced configuration, including route priority, router update timer, router aging timer, garbage recollection timer, non-direct timer, redistribute a route function. And then click Ok button in the upper right corner on the webpage 40

52 BGP neighbor Select ADX > Network management> IPv4 Unicast routing>bgp protocol from navigation tree to enter BGP neighbor interface, as shown in Figure Figure 3-28 BGP neighbor information Table3-16 describes the details of BGP neighbor information. Table3-16 BGP configuration Neighbor IP Neighbor AS Neighbor ID Neighbor status Local outbound interface Establish time Timeout time Displays the IP address of BGP neighbors Displays the AS number of BGP neighbors Displays the ID number of BGP neighbors Displays BGP neighbor status Displays local outbound interface Displays the time when BGP neighbors established Displays the timeout time of the BGP neighbors establishing relationship RIP Configuring RIP Select ADX > Network > IPv4 Unicast routing> RIP from navigation tree to enter the configuring RIP interface, as shown in Figure

53 Figure 3-29 Configuring RIP Table3-17 describes the details of rip protocol. Table3-17 RIP protocol configuration Interface Enabling status Authentication information Advanced configuration Displays all interfaces of the device. Select whether to enable RIP protocol. Specify the authentication information for the interfaces. Specify rip protocol and its properties for the interfaces. To configure RIP interface configuration: Enable RIP, and then select an interface, and then enable the interface. Configure RIP authentication information (including plain text, MD5 authentication and none) In advanced configuration, you can select receive or send RIP protocol version. Select active mode as working mode (active is default working mode) Select whether to enable split horizon Click Ok button on the upper right corner Displays RIP status Select ADX > Network > IPv4 Unicast routing> RIP from navigation tree to enter the configuring RIP interface, as shown in Figure

54 Figure 3-30 Displays RIP state Table3-17 describes the details of RIP state Table3-18 Displays RIP state Interface Enabling status Authentication information Advanced configuration Displays all interfaces of the device. Select whether to enable RIP protocol. Specify the authentication information for the interfaces. Specify rip protocol and its properties for the interfaces. To configure RIP interface configuration: Enable RIP, and then select an interface, and then enable the interface. Configure RIP authentication information (including plain text, MD5 authentication and none) In advanced configuration, you can select receive or send RIP protocol version. Select active mode as working mode (active is default working mode) Select whether to enable split horizon Click Ok button on the upper right corner. 43

55 Figure 3-31 Displays RIP state Enable interface Send version Receive version Neighbor IP address Bad packets Bad route Priority Last update time Allows you to view which interface enables RIP Allows you to view the RIP protocol sending version Allows you to view the RIP protocol receiving version Allows you to view the IP address of BGP neighbors Allows you to view the bad packets of BGP neighbors Allows you to view the bad route between BGP neighbors Allows you to view the route priority Allows you to view the last time that the route update OSPF Configuring OSPF Select ADX > Network >IPv4 Unicast routing> OSPF from navigation tree to enter OSPF interface, as shown in Figure Figure 3-32 Configuring OSPF 44

56 Advanced configuration: Select ADX > Network >IPv4 Unicast routing> OSPF from navigation tree to enter OSPF interface, as shown in Figure Figure 3-33 Configuring OSPF Table3-19 describes the details of OSPF protocol area configuration. Table3-19 OSPF area configuration Area ID Enable the interface Advanced configuration Displays the area ID number Specify the area interface Specify the area advanced configuration. Operation Click the Click the copy icon, and then you can add new area. delete icon, and then you can delete the area. OSPF protocol area configuration: 45

57 Type area ID Add the interface which belongs to the area Configure the area advanced configuration Click the Ok button on the upper right. Interface configuration: Select ADX > Network >IPv4 Unicast routing> OSPF from navigation tree to enter OSPF interface and then you can view the interface configuration, as shown in Figure Figure 3-34 Interface configuration Table3-20 describes the details of OSPF interface configuration. Table3-20 OSPF interface configuration Interface Hello time interval Dead time interval Authentication information Advanced configuration Displays all interfaces of the device. Specify the time interval of received hello packet. Specify the Dead time interval of unreceived hello packet. Specify the OSPF protocol authentication Specify the interface all advanced properties of OSPF protocol OSPF protocol interface configuration: Sets interface sending Hello packet time interval Sets interface sending dead packet time interval Configure the authentication information of OSPF protocol (including plain text authentication and MD5 authentication and non authentication) 46

58 In the advanced configuration, you can configure the interface cost, dr elects priority, and dr elects priority and working mode and interface type. Click the Ok button on the upper right corner. Note: To configure the OSPF protocol, you should add interface into area configuration Displaying OSPF interface Select ADX > Network >IPv4 Unicast routing> Displays OSPF interface from navigation tree to enter displays OSPF interface, as shown in Figure Figure 3-35 OSPF interface Table3-21 describes the details of OSPF interface information Table3-21 OSPF interface Query item Keyword Interface name Area State COST DR BDR Neighbor count Select an item which you want to query. Displays interface information which contains keyword. Displays OSPF interface Displays interface area. Displays interface status. Displays interface COST value. Displays the area DR of the interface Displays the area BDR of the interface Displays neighbor of the interface Displaying OSPF neighbor Select ADX > Network > IPv4 Unicast routing> OSPF > Displaying OSPF neighbor from navigation tree to enter the displaying OSPF neighbors interface, as shown in Figure

59 Figure 3-36 Displaying OSPF neighbor Table3-22 describes the details of the displaying OSPF neighbors Table3-22 Displaying OSPF neighbors Query item Keyword Neighbor ID Neighbor IP Priority Neighbor status Area Interface name DR BDR Dead Time Full time Select an item which you want to query. Displays the neighbor information which contains keyword. Displays the neighbor ID Displays the neighbor IP address Displays route priority Displays neighbor connection status Displays the area of the interface. Displays the name of interface Displays the area DR Displays the area BDR Displays the neighbor relationship. Displays how long the relationship established IS-IS Configuring IS-IS Select ADX > Network > IPv4 Unicast routing> IS-IS > Configuring IS-IS from navigation tree to enter the configuring IS-IS interface, as shown in Figure

60 Figure 3-37 Configuring IS-IS Table3-23 describes the details of IS-IS advanced configuration. Table3-23 IS-IS advanced configuration Support IPv6 Level NET Displays whether to enable the IPv6 support. Displays the area. Displays device ID. Table3-24 describes the details of IS-IS interface configuration. Table3-24 IS-IS interface configuration Interface name State Priority Hello interval Hello_multiplier Displays interface name Specify an interface which enables the IS-IS protocol. Specify an elect route protocol Specify Hello time interval Specify hello_multiplier time. 49

61 To configure the IS-IS advanced configuration: Select whether to enable IS-IS function. Click the Advanced configuration Configure the level configuration, including Level1 Level2 Level1andLevel2 Configure the NET configuration: In the figure, it displays the minimum length. Enable the vlan interface Click Ok button on the upper right corner Configuring IS-IS Select ADX > Network > IPv4 Unicast routing> IS-IS > IS-IS neighbor from navigation tree to enter the IS-IS neighbor interface, as shown in Figure Figure 3-38 IS-IS neighbor Table3-25 describes the details of IS-IS neighbor Table3-25 IS-IS neighbor Sys ID Type Outbound interface IPv4 address IPv6 address State Hold Time Circuit ID Displays system ID number Displays the type of area Displays the outbound interface Displays IPv4 address Displays IPv6 address Displays the status Displays the hold time Displays Circuit ID IS-IS LSP Select ADX > Network > IPv4 Unicast routing> ISIS > ISIS LSP from navigation tree to enter the IS-IS LSP interface, as shown in Figure

62 Figure 3-39 ISIS LSP Table3-26 describes the details of ISIS LSP Table3-26 ISIS LSP LSP ID Level Sequence Number Remaining Lifetime Displays the LSP ID. Displays the type of the Level. Displays the sequence number. Displays the remaining lifetime Guard route Select ADX> Network > IPv4 unicast route > Guard route from navigation tree to enter guard route interface, as shown in Figure Figure 3-40 Traceroute 3.6 Multicast routing Introduction to the multi-cast routing By using IGMP Snooping protocol, multicast routing effectively resolve the problem of single point sending and multi point receiving problem, realizing peer to peer transmission in IP network, saving network bandwidth, reducing network bandwidth. Also, through PIM protocol, you can enable the layer 3 multicast IGMP Select ADX> Network >Multicast routing > Configure IGMP snooping from navigation tree to enter multi-cast routing interface, as shown in Figure

63 Figure 3-41 Configuring IGMP Snooping Table3-27 describes the details of IGMP snooping configuration Table3-27 IGMP protocol configuration VLAN Dynamic learning Static configuration Static configuration: router port Displays the VLAN number. Displays the interface status. You can select whether to enable dynamic learning. Displays MAC address and member port Displays which port connect the router. To configure IGMP Snooping configuration: Dynamic mode: select a vlan interface, and then you can enable dynamic learning function for the vlan interface, and then the ports in the vlan negotiate a multicast address. If switches and router connected, you can select the router port. Static mode: You should disable the dynamic configuration. In the static configuration, you should type in multicast address (such as 01:00:5e:01:01:01), and then select members. If switches and router connected, you can select the port which connect router Click Ok button on the upper right corner. Note: The dynamic and static configuration, you can only choose one! PIM Select ADX> Network >Multicast routing > PIM from navigation tree to enter the PIM interface, as shown in Figure

64 Figure 3-42 IGMP Snooping Multicast-routing table Select ADX> Network > Multicast routing> E-BSR status from navigation tree to enter the multicast-routing table, as shown in Figure Figure 3-43 PIM multicast routing table Table3-28 describes the details of multicast routing table. Table3-28 Multicast routing table (*,G)/(S,G) RP Flags Incoming interface RPF nbr Outcoming interface Displays multicast routing table. Displays the distributed root. Displays the flag. Displays the route incoming interface. Displays RPF neighbor. Displays outcoming interface. 53

65 3.7 Policy-based routing Introduction to policy-based routing IP policy-based routing (PBR for short) is a mechanism in which packets are transmitted and forwarded through a specified policy rather than the routing table Policy-based routing Select ADX > Network >Policy-based routing from navigation tree to enter policy-based routing interface, as shown in Figure Figure 3-44 Policy-based routing Table3-29 describes the details of policy-based routing. Table3-29 Policy-based routing Serial number Source subnet Destination subnet TOS Inbound interface Protocol Nexthop Displays the serial number of policy-based routing Specify a route for the source subnet. Specify a route for the destination subnet. Specify a TOS type. Specify the route inbound interface. Specify a route protocol for the policy-based routing. Specify the route next hop. Operation Click the copy icon and then you can copy a route Click the delete icon and then you can delete a route To configure the policy-based routing: You should configure the parameters of source subnet, destination subnet, TOS, inbound interface, next hop Click the Ok button on the upper right corner. Forward by route-policy before route 54

66 Forward by route-policy before route is only for forwarding packet and it first match the route-policy or else match route. That is, its priority is in preference to route. The smaller the serial number, the priority is higher. Forward by route-policy after route Forward by route-policy after route is only for forwarding packet and it first match route or else match route-policy. That is, its priority is inferior to route. Forward by route-policy after route and forward by route-policy before route policy can take effect at same time. The smaller the serial number, the priority is higher. Local route-policy Forward by route-policy after route is only for forwarding packet and it first match route or else match route-policy. The smaller the serial number, the priority is higher. Table3-30 describes the details of policy-based configuration. Table3-30 Policy-based routing Serial number Source subnet Destination subnet TOS Inbound interface Protocol Nexthop Displays the serial number Specify the route-policy source network segment Specify next hop of packet forwarding. Specify route priority and type Specify the interface which belongs to route-policy Specify a protocol which will Configure the nexthop configuration, including outbound interface, nexthop, weigh(you can configure the nexthop weigh if it match two or more rule), healthy check type, health check name(please refer to 5.6.2) Operation Click the Click the copy icon, and then you can copy the policy-based routing. delete icon, and then you can delete the policy-based routing. Click the insert icon, and then you can insert a policy-based routing which priority is in preference to the current policy-based routing. 55

67 3.8 MPLS Introduction to MPLS configuration Multiprotocol Label Switching (MPLS) is a new IP backbone technology. It introduces connection-oriented label switching into connectionless IP networks, and seamlessly integrates the flexibility of IP routing and the simplicity of Layer 2 switching Enable MPLS forwarding function Select ADX> Network > MPLS configuration > MPLS from navigation tree to enter the global configuration interface as shown in Figure Figure 3-45 Enable MPLS forwarding function To enable the MPLS forwarding function: Click the Enable MPLS function Click Ok button in the upper right corner on the webpage Static FTN/ILM Confiuring static FTN The FTN map is used for forwarding unlabeled packets that need MPLS forwarding. Select ADX> Network > MPLS configuration > Static FTN/ILM from navigation tree to enter the static FTN interface, as shown in Figure Figure 3-46 Configuring static FTN Table3-31 describes the configuration items of the static FTN. Table3-31 Static FTN configuration items Destination subnet Next hop Specify a route to the destination subnet address The next hop address of MPLS packet forwarding 56

68 Outbound label Outbound interface Operation Transform IP packet to MPLS packet entrance label Allows you to select MPLS packet forwarding outbound interface Click the copy icon to copy static FTN configuration Click the delete icon to delete static FTN configuration To configure static FTN: Enter an IP segment for the destination subnet Enter next hop IP address Enter a number for the outbound label Select an interface for the MPLS packet forwarding Confiuring static ILM ILM mean Incoming Label Map, which is used when forwarding labeled packets. Select ADX> Network > MPLS configuration > Static FTN/ILM > static ILM, as shown in Figure Figure 3-47 Configuring static ILM Table3-32 describes the configuration items of static ILM. Table3-32 Static ILM configuration item Inbound label Next hop Outbound label Outbound interface Operation Allows you to configure the inbound label which will be switched in MPLS packet Allows you to configure the next hop address for MPLS packet transmitted Allows you to configure the outbound label which will be switched during MPLS packet transmitting Allows you to configure the MPLS packet transmitted outbound interface Click the copy icon that you can copy an ILM configuration item Click the delete icon that you can delete the ILM configuration item 57

69 To configure static ILM: Enter an IP segment for the destination subnet Enter next hop IP address Enter a number for the outbound label Select an interface for the MPLS packet forwarding LDP Introduction to the LDP Label Distribution Protocol (LDP) is MPLS control protocol which is similar to the traditional network signaling protocol, which responsible for the FEC partition and label binding distribution and Label switching path establishment and maintenance, FEC label binding recycle. Through LDP, the network layer routing information can be allowed to map to the data link layer switching patch, so that it can established LSP Configuring LDP Select ADX> Network > MPLS configuration > LDP from navigation tree to enter LDP configuration interface, as shown in Figure Figure 3-48 LDP configuration Table3-33 describes the details of system configuration. Table3-33 System configuration Route ID Label space Allows you to configure local device router identification (support auto choose or manual configure. The router identification must be unique) Allows you to configure label space range mode (By default, the label space 58

70 range mode is platform label space) Label distribution mode Hello label distribution control mode Hello interval Neighbor hold time Session keepalive interval Session IP Initial backoff Dynamic label range Allows you to configure local device distribution label (By default, the local device distribution label is DU mode) Allows you to configure the control mode for the local device distribution label (By default, the control mode is Ordered mode) Allows you to configure the local device interface sending hello packet (By default, the sending interval is 5s) Allows you to configure the dead interval of local device neighbor aging time (By default, the dead interval is 15s) Allows you to configure the dead interval between local device and its neighbor session aging time (By default, the dead interval is 45s ) Allows you to configure the local interface IP address for the local device and its neighbor establishing session(option) Allows you to configure the max duration for session negotiation (By default, the time is two minutes ) Allows you to configure the label range which is used to generate FTN/ILM table(by default, the range is 16 to ) Interface configuration: Select ADX> Network > MPLS configuration > LDP from navigation tree to enter LDP configuration interface and then you can view the interface configuration, as shown in Figure Figure 3-49 Interface configuration Table3-34 describes the configuration items of interface configuration. Table3-34 Interface configuration Descripton Interface name Displays all interfaces of the device 59

71 Descripton Enabling status Advanced configuration Allows you to select whether to enable LDP function on an interface Preserved Egress configuration: Select ADX> Network > MPLS configuration > LDP from navigation tree to enter LDP configuration interface and then you can view the egress configuration, as shown in Figure Figure 3-50 Egress configuration Table3-35 describes the details of egress configuration. Table3-35 Egress configuration Destination subnet Subnet mask Allows you to configure the subnet address for egress binding Allows you to configure the subnet mask for egress binding Operation Click the Click the copy icon to copy an item of egress configuration delete icon to delete the item of egress configuration Authentication and policy configuration: Select ADX> Network > MPLS configuration > LDP from navigation tree to enter LDP configuration interface and then you can view the authentication configuration, as shown in Figure Figure 3-51 Authentication configuration Table3-36 describes the details of authentication configuration and policy configuration. 60

72 Table3-36 Authentication and policy configuration Neighbor ID Md5 password Policy configuration Allows you to configure the route ID for the neighbor router(it must be unique) Allows you to configure the TCP MD5 authentication password (The length of the password must be no greater than 80) Allows you to configure the inbound label which accept control strategy and label advertisement control strategy. Operation Click the copy icon to copy the configuration item Click the delete icon to delete an configuration item Displays LDP neighbor Select ADX> Network > MPLS configuration > LDP from navigation tree to enter the displays LDP neighbor interface, as shown in Figure Figure 3-52 LDP neighbor information Table3-37 describes the details of LDP neighbor information. Table3-37 LDP neighbor information Local router ID Remote route ID Neighbor IP Local interface Neighbor hold time Displays the router identification of local device (which must be unique) Displays the router identification of remote device (which must be unique) Displays the LDP neighbor address Displays the interface for local device and remote device establishing neighbor relationship Displays the dead interval of LDP neighbor hold time Dispslays LDP session Select ADX> Network > MPLS configuration > LDP from navigation tree to enter the displays LDP neighbor interface, as shown in Figure

73 Figure 3-53 LDP session Table3-38 describes the details of LDP session information. Table3-38 LDP session information Local router ID Remote router ID Local TCP connection Remote TCP connection port Session state Session keepalive interval Displays local router ID (This ID must be unique) Displays remote router ID (The router identification must be unique) Displays the port that local device establishing LDP session with remote device Displays the port that remote device establishing LDP session with local device Displays the current status of LDP session Displays LDP session dead interval Dispslays LIB basic information Select ADX> Network > MPLS configuration > LDP LIB show from navigation tree to enter display LDP neighbor interface, as shown in Figure 3-54 Figure 3-54 LIB basic information Table3-39 describes the details of LIB basic information. 62

74 Table3-39 LIB basic information description Destination subnet Subnet mask Inbound label Outbound label Outbound label state Remote-id Displays the destination address in LIB table Displays the destination address in LIB table Inbound label is used to advertise upstream neighbor label Designate the downstream router to learn the label Displays whether the outbound label is available Displays downstream router ID (which is used to distribute the outbound label) Figure 3-55 Network diagram of MPLS configuration LSP R2 R Ingress Egress R1 Upstream router R4 Downstream router 3.9 ARP Configuration The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of that device to the corresponding MAC address Display ARP The display ARP function allows user to view all ARP entries. Select ADX> Network >ARP > Display ARP from navigation tree to enter the display ARP interface, as shown in Figure

75 Figure 3-56 Display ARP Table3-40 describes the details of the current ARP entries. Table3-40 Current ARP entries Serial number IP address MAC address Inbound interface Type Displays the sequence number of the current ARP entry Displays IP addresses of the current ARP entry Displays MAC addresses of the current ARP entry Displays inbound interfaces of the current ARP entry Displays the type of the current ARP entry Static ARP A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. Using static ARP entries enhances communication security. Select ADX > Network > ARP > Static ARP from navigation tree to enter the static ARP configuration interface, as shown in Figure Figure 3-57 Static ARP Table3-40 describes the details of the current ARP entries. 64

76 Table3-41 Current ARP entries Serial number IP address MAC address Interface Allows user to view the sequence number of static ARP entries Allows user to view the IP address of static ARP entries Allows user to view the MAC address of static ARP entries Allows user to view the inbound interface of static ARP entries To create a static ARP entry: Select ADX > Network > ARP > Static ARP from navigation tree to enter the static ARP configuration interface. Enter for IP address Enter 00:01:6c:4b:17:83 for MAC address And then select eth1_0 for interface Click Ok button in the upper right corner on the webpage. To create other static ARP entries, click the copy icon, and then configure the static ARP entry as above steps, and then click Ok button in the upper right corner on the webpage. To delete a static ARP entry, click the delete icon, and then click Ok button in the upper right corner on the webpage. Figure 3-58 Network diagram for configuring static ARP entries Device eth1_0 eth1_1 PC1 IP address: MAC address: 00:01:6c:4b:17:83 PC2 IP address: MAC address: 00:01:6c:4b:17:84 IP address: IP address: MAC address: 00:01:6c:4b:17:85 MAC address: 00:01:6c:4b:17:86 65

77 3.9.3 Gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff. Select ADX > Network > ARP > Gratuitous ARP from navigation tree to enter gratuitous ARP interface, as shown in Figure Figure 3-59 Gratuitous ARP Table3-42 Gratuitous ARP Enable gratuitous ARP learning function Periodic sending of gratuitous ARP packets Allows you to select whether to enable or disable gratuitous ARP learning function Allows you to configure the periodic sending of gratuitous ARP function 3.10 Diagnostic tools Ping By using Ping tool, user can verify whether a device with a specified address is reachable and user can exam the network connectivity. Select ADX> Network > Diagnose tool > Ping from navigation tree to enter the diagnostic tool interface, as shown in Figure Figure 3-60 Ping To execute ping command: Enter destination IP address in IP address bar 66

78 Click Test button And then you can view the output of ping command Traceroute By using traceroute tool, you can trace the routers involved in delivering a packet from source to destination. This is useful for identification of failed node(s) in the event of network failure. Select ADX> Network > Diagnostic tools > Traceroute from navigation tree to enter traceroute interface, as shown in Figure Figure 3-61 Traceroute Table3-43 Traceroute Serial number Destination IP address Time interval Allows you to view the sequence number of the traceroute output Allows you to view the IP address of the next hop Allows you to view the time intervals to the next hoops To execute traceroute command: Enter the destination IP address in the IP address bar Click Test button And then you can view the output of traceroute command 67

79 Chapter 4 Load balancing Server load balancing which is providing load balancing service for a group of servers. Generally, these servers locate in a local network, providing one group or several groups with the same services or the similar services. Service load balancing is data centers generally adopt server load balancing for networking. Load balancing is as shown in Figure 4-1. Figure 4-1 Load balancing 4.2 Advanced configuration Load balancing advanced configuration is the configuration of session keep and scheduling strategy. User can configure the advanced configuration as their need. Select ADX> Load balancing > Advanced configuration from navigation tree to enter advanced interface, as shown Figure 4-2. Figure 4-2 Advanced configuration 68

80 Table4-1 Advanced configuration Source IP session keep Click the configuration add icon and then you can configure the source IP session keep Header scheduling strategy Click the add icon and then you can configure the header scheduling strategy configuration URL session keep Click the configuration add icon and then you can configure the URL session keep Cookie session keep Click the add icon and then you can configure the cookie session keep configuration Header session keep Click the configuration add icon and then you can configure the header session keep DNS scheduling strategy Click the configuration add icon and then you can configure the DNS scheduling strategy Sip session keep Click the add icon and then you can configure the sip session keep configuration Microsoft remote desktop session keep Click the add icon and then you can configure the Microsoft remote desktop session keep configuration SSL session keep Click the configuration add icon and then you can configure the SSL session keep Destination address session keep Click the configuration add icon and then you can configure the destination session keep 4.3 Server load balancing Introduction to server load balancing Load balancing is to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives, or other resources, to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid overload. Select ADX > Load balancing > Server load balancing from navigation tree to enter server load balancing interface, as shown in 错误! 未找到引用源. 69

81 Figure 4-3 Virtual service Table4-2 describes basic configurations of virtual service. Table4-2 Basic configuration of virtual service Virtual service name Virtual service address Virtual service port Virtual service status Allows you to configure the name of the virtual service Allows you to configure the protocol of the virtual service Allows you to configure the IP address of the virtual service Allows you to view virtual service enabling status: The red light means the virtual service isn t enabled The green light means the virtual service is enabled Deployment method Transport protocol Session keep configuration Force load balancing (The uppermost is default) Add real service group Allows you to select a deployment method, including symmetry option and single-arm option Allows you to configure the transport protocol, including TCP and UDP Allows you to select an option for the session keep configuration. Click the view configuration hyperlink, the interface will skip to the advanced configuration interface which allows you to view or to configure the advanced configuration Allows you to select whether to enable the force load balancing function. After you enable the force load balancing function, the device will force execute load balancing function Allows you to add real service into the real service group 70

82 Click the add button and then you can add real service to the left box Click the delete button and then you can delete real service to the right box The view configuration allows you to view and configure the real service group interface. After you click the view configuration hyperlink, the interface will skip to the real service group interface. Enable the matching real service group function Allows you to select whether to enable the matching real service group function Table4-3 describes the advanced configuration of virtual service. Table4-3 Advanced configuration of virtual service Virtual server multi ports Allows you to set the number of the virtual server multi ports (at most is 10) HTTP security policy HTTP buffer configuration Binding interface Virtual service mask Burst connection limit New connection limit Keeping connection limit Allows you to select an option for the HTTP security policy Allows you to configure the HTTP buffer configuration Allows you to select an interface which is to be bound Allows you to configure the mask of virtual service Allows you to configure the limit of burst connection (The default is 0, which means no limitation) Allows you to configure the limit of new connection (The default is 0, which means no limitation) Allows you to configure the limit of keeping connection (The default is 0, which means no limitation) Real service group The server load balancing module comprises mainly a real service group, real services, and a virtual service Select ADX > Load balancing > Server load balancing from navigation tree to enter server load balancing interface, as shown in 错误! 未找到引用源. 71

83 Figure 4-4 Real service group Table4-4 describes the advanced configuration of virtual service. Table4-4 Advanced configuration of virtual service Real service group name Displays the name of the real service group Allows you to select which kind of health check you want to apply Health check type Click the Add button and then you can add a kind of health check to the left box Click the Delete button and then you can delete a kind of health check from the left box Least connections Real service troubleshooting Allows you to select the health check at least pass through number Select a method that the real service group uses to handle existing connections when it detects that a real service fails, including the following: Select an algorithm that a real service group uses to distribute services and traffic: Round Robin: Assigns new connections to each real service in turn. Weighted Round Robin: Assigns new connections to real services based on the weights of real services; a higher weight indicates more new connections will be assigned. Scheduler Least Connections: New connections are always assigned to the real service with the fewest number of active connections. Weighted Least Connections: New connections are always assigned to the real service with the fewest number of weighted active connections (the number of active connections/weight). Random: Assigns new connections to real services randomly. Weighted Random: Assigns new connections randomly to real services based on their 72

84 weights; a higher weight indicates more new connections will be assigned. Source Address Hashing: Assigns a new connection to a specific real service based on the source address of the connection. This algorithm ensures that new connections with the same source address can be assigned to the same real service. Source Address Port Hashing: Assigns a new connection to a specific real service based on the source address and port of the connection. This algorithm ensures that new connections with the same source address and port can be assigned to the same real service. Destination Address Hashing: Assigns a new connection to a specific real service based on the destination address of the connection. This algorithm ensures that new connections with the same destination address can be assigned to the same real service. This algorithm is applicable to firewall load balancing mode. HTTP-header recognized DNS recognized Add real service Real service The server load balancing module comprises mainly a real service group, real services, and a virtual service, as shown in 错误! 未找到引用源. Select ADX > Load balancing > Server load balancing from navigation tree to enter server load balancing interface, as shown in Figure 4-5. Figure 4-5 Virtual service Table4-5 describes the configuration items of real service. Table4-5 Real service configuration items Real service group name Displays the name of the real service group Allows you to select which kind of health check you want to apply Health check type Click the add button and then you can add a kind of health check to the left box Click the delete button and then you can delete a kind of health check from the left box Least connections Allows you to select the health check at least pass through number 73

85 Real service troubleshooting Select a method that the real service group uses to handle existing connections when it detects that a real service fails, including the following: Select an algorithm that a real service group uses to distribute services and traffic: Round Robin: Assigns new connections to each real service in turn. Weighted Round Robin: Assigns new connections to real services based on the weights of real services; a higher weight indicates more new connections will be assigned. Least Connections: New connections are always assigned to the real service with the fewest number of active connections. Weighted Least Connections: New connections are always assigned to the real service with the fewest number of weighted active connections (the number of active connections/weight). Random: Assigns new connections to real services randomly. Scheduler Weighted Random: Assigns new connections randomly to real services based on their weights; a higher weight indicates more new connections will be assigned. Source Address Hashing: Assigns a new connection to a specific real service based on the source address of the connection. This algorithm ensures that new connections with the same source address can be assigned to the same real service. Source Address Port Hashing: Assigns a new connection to a specific real service based on the source address and port of the connection. This algorithm ensures that new connections with the same source address and port can be assigned to the same real service. Destination Address Hashing: Assigns a new connection to a specific real service based on the destination address of the connection. This algorithm ensures that new connections with the same destination address can be assigned to the same real service. This algorithm is applicable to firewall load balancing mode. HTTP-header recognized DNS recognized Add real service 4.4 Load balancing Link load balancing Link load balancing: Link load balancing can be applied in a network environment where there are multiple carrier interfaces to implement dynamic selection of links, thus enhancing the service reliability, as shown in 错误! 未找到引用源. 74

86 Figure 4-6 Virtual service Cluster ISP1 Router A VSIP ISP2 IP network Source LB device Router B Destination ISP3 Router C Chapter 5 Log management 5.1 System log Latest log System log interface displays the latest 25 system logs. Select ADX > Log management > System log > Latest log from navigation tree to enter the latest log interface, you can view the latest 25 system logs, as shown in Figure 5-1. Figure 5-1 Latest log 75

87 Note: To export the system log to your local system, you can click Export button and then the system prompt you a window which allows you to select whether to open or save the log file to your local system. Table5-1 describes the details of latest log. Click the header entry of each column that you can view system logs display as ascending or descending order. Table5-1 Latest log Serial number Time stamp Module Displays the serial number of latest system log Displays when the system log created Displays the system log to which module belongs Displays severity level of the latest system log, including: Fatal error: means system cannot use Emergency error: warns user must take an emergency measures for the system Critical: means the system is dangerous status Severity level Common error: displays the common errors Warning: displays warning information Status information: important information under the normal status Information: unknown information Unknown: means the unknown information. Log content Displays specific content of system log Note: Auto-refresh can be 10, 30, 60 seconds refresh after you enable this function and select an option.ond and also you click the refresh button to manual refresh the interface of latest log. Each severity level has a color, which is used to warn user: Red shading color is for fatal error, emergency eror and critical error Orange shading color is for common error and warning White shading color is for status, informaiton, unkown information Latest log System log query function allows users to query the system log as their requirement. Select ADX > Log management > System log > System log query from navigation tree to enter system log query interface, as shown in Figure

88 Figure 5-2 System log query Click Export button and then the system prompt you that you can open or save the CSV file to your local system. Click Query button to view the logs you have queried. Click Jump to and Page right drop-down list, you can view the system log displays as your selection. Note: All system logs display when you select Customized option and click Query button. Table5-2 describes the system log query searching conditions. Table5-2 System log searching conditions Severity Time scope Start time End time Allows you to search system log as severity level Allows you to search system log as time scope Displays or set the start time for querying system log Displays or set the end time for querying system log Log file operation System log file operation module allows you to back up or delete system log file of today or any other day. Select Basic > Log management > System log > Log file operation from navigation to enter system log file operation interface, as shown in Figure

89 Figure 5-3 System log file operation You can select a system log file which you want to backup and click the You can select a system log file which you want to delete and click the Backup button to save system log to your local system. Delete button to delete save system log file. Table5-3 describes the details of system log file operation provides system log back up and delete as today or the desired day. Table5-3 System log file operation Serial umber Log file name Displays the sequence of system log generating Displays the time when system log generating Operation Displays the back up and the delete icon Log configuration System log configuration provides system log saving and exporting configuration for users. Select ADX > Log management > System log configuration from navigation tree to enter system log configuration interface, as shown in Figure 5-4. Figure 5-4 Log configuration Table5-4 describes the details of system log configuration items 78

90 Table5-4 System log configuration items Output to remote syslog server Set remote syslog server parameters, including: Remote syslog server IP address Service port Time stamp Days for saving Select the max saving day for system log file and then system will delete the expired system log file. You can select one week, two weeks, or three weeks or 30 days or customized time option and you can set the days when you configure customize option. 5.2 Operation Log Latest log Operation log interface displays the latest 25 operation logs Select ADX > Log management > Operation log > Latest log from navigation tree to enter operation log configuration interface, as shown in Figure 5-5. Figure 5-5 Latest log Click Export button and then the system prompt you that you can open or save the CSV file to your local system. Table5-5 describes the details of the latest log configuration items. Table5-5 Latest log configuration items Serial number Time stamp Displays the sequence of operation log generating Displays when operation log generating. 79

91 Displays the type of client who generate operation log, including Web: means administrator manages the device through web. Client type Console: means administrator manages the device through console port. Telnet: means administrator manages the device through telnet server. SSH: means administrator manages the device through SSH service. Administrator Address Displays which administrator did the operation Displays the IP address of operation log Displays the log of operation result, including: Operation result Success: means your operation is successful Fail: means your operation is fail Log content Displays the content of operation log Note: Auto-refresh can be 10, 30, 60 seconds refresh after you enable this function and select an option.ond and also you click the refresh button to manual refresh the interface of latest log Operation log query Operation log query provides operation log searching function. Select ADX > Log management > Operation log > Operation log query from navigation tree to enter operation log query interface, as shown in Figure 5-6. Figure 5-6 Operation log query 80

92 Click Export button and then the system prompt you that you can open or save the CSV file to your local system. Click Query button to view the logs you have queried. Click Jump to and Page right drop-down list, you can view the system log displays as your selection. Note: All system logs display when you select Customized option and click Query button. Table5-6 describes the details of operation log query configuration items. Table5-6 Operation log query configuration items Administrator IP address Time scope Start time End time Shows the administer who did the operation log Shows the IP address of operation log Select operation log as time scope Display or to set the operation log beginning time Display or to set the operation log finish time Log file operation Operation log file operation module allows you to back up or delete system log file of today or another day. Select ADX > Log management > Operation log > Log file operation from navigation to enter Operation log file operation interface, as shown in Figure 5-7. Figure 5-7 System log file operation You can select an operation log file which you want to backup and click the system. Backup button to save system log to your local You can select an operation log file which you want to delete and click the Delete button to delete save system log file. Table5-7 describes the details of operation log configuration items 81

93 Table5-7 Operation log file configuration items Serial umber Log file name Displays the sequence of operation log generating Displays the time when operation log generating Operation Displays the back up and the delete icon Log configuration Operation log configuration provides system log saving and exporting configuration for users. Select ADX > Log management > System log configuration from navigation tree to enter operation log configuration interface, as shown in Figure 5-8. Figure 5-8 Operation log configuration Table5-8 describes the details of operation log configuration items Table5-8 Operation log configuration items Output to remote syslog server Set remote syslog server parameters, including Remote syslog server IP address Service port Time stamp Days for saving Select the max saving day for system log file and then system will delete the expired system log file. You can select one week, two weeks, or three weeks or 30 days or customized time option and you can set the days when you configure customize option. 5.3 Service log Service log configuration provides service log related configuration. Select ADX > Log management > Service log from navigation tree to enter service log interface, as shown in Figure

94 Figure 5-9 Service log Table5-9 Service log configuration Days for saving Brief log Audit log Local save audit log Log aggregation Output to a remote syslog server Select the max saving day for system log file and then system will delete the expired system log file. You can select one week, two weeks, or three weeks or 30 days or customized time option and you can set the days when you configure customize option. Allows you to select brief log option Allows you to select whether to enable audit log sending to server function Allows you to select audit log local save function Allows you to select whether to enable log aggregation function Configuring the output to a remote syslog server function parameter, including Remote syslog server IP address Service port DDoS remote syslog server Allows you to select whether to enable DDoS log sending to remote systlog server function Send an Mail server IP address Set the mail server IP address Source address mail Set the mail server source address Destination mail address Set the mail server destination address User name Password Set the mail server username Set the mail server password Number of Configure a number for sent out per minute 83

95 s sent out per minute Domain name Set domain name of user. Chapter 6 Firewall 6.1 Packet filtering policy Introduction to packet filtering policy Packet filtering is to inspect the source domain, destination domain, originator source IP, originator destination IP, originator source MAC, originator destination MAC, service, IP fragment, flow re-mark, action for every data packet. Select ADX> Network > Firewall > Packet filtering policy from navigation tree to enter the packet filtering policy interface, as shown in Figure 6-1. Figure 6-1 Packet filtering policy Table6-1 describes the details of packet filtering policy. Table6-1 packet filtering policy Serial number Name Source domain Destination domain Originator source IP Originator destination IP Service Displays the serial number of packet filtering policy Displays the name of the packet filtering policy Displays the source domain of the packet filtering policy Displays the destination domain of the packet filtering policy Displays the packet filtering policy originator source IP address Displays the packet filtering policy originator destination IP address Displays the service IP address 84

96 Action Specify whether permit the packet pass the device and further limit packet filtering policy. Valid time Status Operation Click the Click the Click the copy icon, and then your copy will add into new policy. delete icon, and then you can delete a policy. insert icon, and then you can insert a new rule. Table6-2 Packet filtering policy Table6-3 describes the configuration items of configuring action. Table6-3 Configuring action Pass Discard Rate limitation Per IP rate limitation Access control URL filtering Allow packet to pass through the device. Not allow packet pass through the device. Select rate limitation rule which will apply to the packet filtering policy. Select per IP limitation rule which will apply to the packet filtering policy. Select access control rule which will apply to the packet filtering policy. Select URL filtering rule which will apply to the packet filtering policy. 85

97 Advanced filtering Behavior audit Flow analysis Select advanced filtering rule which will apply to the packet filtering policy. Select behavior audit rule which will apply to the packet filtering policy. Select whether to enable the flow analysis. To create packet filtering policy: Click the copy icon Select source domain and destination domain in the new line Select initiate source IP and initiate destination IP for the packet filtering policy Select the related service and valid for the packet filtering policy The action you can select is the pass, discard or rate limitations Click Ok button in the upper right on the webpage! Note: It will perform by default if there is no packet match with packet filtering policy. The default is the interface with high security level can visit the interface with lower security level, but interface with low security level can visit high security level. 6.2 Packet filtering policy Introduction to packet filtering policy Packet filtering policy is to filtering IP data packets. The device will get data packet header information first (including IP layer which carry protocol number, data packet source IP address, destination IP address,source port an d destination port, etc). After that, it will be compared with ACL rule and will be processed according to the comparison. Select Basic> Network > Firewall > Packet filtering policy from navigation tree to enter the packet filtering policy, as shown in Figure 6-2. Figure 6-2 Packet filtering policy Table6-4 describes the details of packet filtering policy. 86

98 Table6-4 packet filtering policy Serial number Name Source domain Destination domain Originator source IP Originator destination IP Service Action Valid time Status Displays the serial number of packet filtering policy Allows you to configure a name for the packet filtering policy Allows you to select source domain for the packet filtering policy Allows you to select destination domain for the packet filtering policy Allows you to select originator source IP address for the packet filtering policy Allows you to select originator destination IP address for the packet filtering policy Allows you to select a service for the policy filtering policy Allows you to select an action for the policy filtering policy Allows you to set the packet filtering policy valid time Allows you to set the Specify whether the current policy is effective. Operation Click the copy icon to copy a packet filtering policy Click the Click the delete icon to delete a packet filtering policy insert icon to insert a packet filtering policy ALG configuration Application Level Gateway (ALG)is mainly processing application data packet. In general,nat is only processing IP address and port information in the packet header, it doesn t analyze the field in application data load. While some special protocols may contains IP address or port information and these contents cannot be transited and may result problems. Select Basic> Network > Firewall > Packet filtering policy > Alg configuration from navigation tree to enter ALG configuration interface, as shown in Figure

99 Figure 6-3 Address pool Table6-5 describes the details of Alg configuration. Table6-5 Alg configuration Protocol State Displays the application layer protocol name, including amanda, ftp, gtp, h323, irc, mms, netbios_ns, oracle, pptp, rpc, rtsp, sane, sip,tftp Allows you to select an application layer protocol to turn on 6.3 NAT Introduction to NAT NAT (Network Address Translation) provides a way of translating the IP address in an IP packet header to another IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks. With NAT, a smaller number of public IP addresses are used to meet public network access requirements from a larger number of private hosts, and thus NAT effectively alleviating the depletion of IP addresses Source NAT Select Basic> Network > Firewall > Source NAT from navigation tree to enter the source NAT interface, as shown in Figure

100 Figure 6-4 Source NAT Table6-6 describes the details of source NAT configuration.. Table6-6 Source NAT configuration Serial number Out interface Originator source IP Originator destination IP Service Public IP(pool) Displays the serial number of the source NAT policy Allows you to select out interface for the source IP address Allows you to select originator source IP address Allows you to select originator destination IP address Allows you to select a service Allows you to configure the public IP pool Operation Click the Click the icon to copy source NAT policy icon to delete source NAT policy To configure the source NAT configuration: Click the copy button of source NAT, except the first line of the table Configure the outbound interface of source NAT policy Configure the IP address and mask of source NAT policy Configure the public IP of the source NAT policy After you configured the advanced configuration, click Ok button in the upper right corner on the webpage Destination NAT Select Basic> Network > Firewall > Destination NAT from navigation tree to enter destination NAT interface, as shown in Figure

101 Figure 6-5 Destination NAT Table6-7 describes the details of destination NAT configuration. Table6-7 Destination NAT configuration ID In interface Common address Service Expert config Advanced configuration Displays the destination NAT ID. Displays the inbound interface of destination NAT policy. Displays the destination NAT policy. Displays the service type of destination NAT policy. Displays the expert config of the destination policy. Displays the advanced configuration of the destination policy Operation Click the Click the copy icon, and then you can copy a destination NAT policy. delete icon, and then you can delete a destination NAT policy. To configure destination NAT configuration: Click the copy button of destination NAT policy; expect the first line of the table Configure the outbound interface of the destination NAT policy Configure the service type of the destination NAT policy Configure the public address of destination NAT server Configure the inner IP address of destination NAT server 90

102 After you finished the above steps, you can click the Ok button on the upper right. Note: If you configure the server inner port in the advanced configuration, it will connect to the destination port after it switched destination NAT One to one NAT Select Basic> Network > Firewall > One to one NAT from navigation tree to enter the one to one NAT interface, as shown in Figure 6-6. Figure 6-6 One to one NAT Table6-8 describes the details of one to one NAT configuration. Table6-8 One to one NAT configuration Destination Serial number Public interface One to one NAT Public address Operation Displays the serial number of one to one NAT policy Displays the outbound interface of one to one NAT policy Displays the inner address of one to one NAT policy Displays the public address of one to one NAT policy Click the copy icon, and then you copy a one to one NAT policy Click the delete icon, and then you can delete a one to one NAT policy To configure one to one NAT configuration: Click the icon of the one to one NAT policy (except the first line of the table) Configure the public interface of one to one NAT policy Configure the inner address of one to one NAT policy Configure the public address of one to one NAT policy After you finished the above steps, you can click the Ok button in the upper right 91

103 6.3.5 Address pool Select Basic> Network > Firewall > Address pool from navigation tree to enter address pool interface, as shown in Figure 6-7 figure. Figure 6-7 Address pool Table6-9 describes the details of address pool. Table6-9 Address pool configuration ID Start IP address End IP address Display the start IP address of address pool. Configure the start IP address of address pool. Configure the end IP address of address pool. Operation Click the Click the copy icon, and then you can copy an address pool policy. delete icon, and then you can delete an address pool policy. To configure address pool configuration: Click the button of the address pool (except the first line of the table) Configure the ID number Configure the start IP of address pool Configure the end IP of address pool After you finished the above steps, you can click the Ok button in the upper right Alg configuration Select Basic> Network > Firewall > NAT > Alg configuration from navigation tree to enter the alg configuration interface, as shown in Figure

104 Figure 6-8 Alg configuration Table6-10 describes the detail of Alg configuration. Table6-10 Alg configuration Protocol State Displays the application layer protocol name, including amanda, ftp, gtp, h323, irc, mms, netbios_ns, oracle, pptp, rpc, rtsp, sane, sip,tftp Allows you to select an application layer protocol to turn on 6.4 IPV4 Basic DDoS Protection Defend Object Management Defend object management is to configure the defend object group, including IP address protected by DDoS attack protection and comment information. Select Basic> Firewall > Basic DDoS Protection > Defend object management from navigation tree to enter the defend object management interface, as shown in Figure 6-9. Figure 6-9 Defend object management Table6-11 describes the configuration items of defend object management. 93

105 Table6-11 Defend object management Defend object management IP address and mask Comment Enter a name for the defend object management. Enter an IP address or several IP address protected by defend object management. Comment the defend object group. Operation Click the copy icon, and then you can copy a rule. Click the delete icon, and then you can delete a rule. To create a defend object management rule: Enter the name of defend object management rule Configure the IP address of protected by defend object management rule After you finished the above steps, you can click the Ok button the upper right Configuration and Tendency Traffic Status and Monitoring You can view the current defend group traffic status and monitoring via configuration and tendency. Select Basic> Firewall > Basic DDoS Protection > Configuration and tendency from navigation tree to enter traffic status and monitoring interface, as shown in Figure Figure 6-10 Traffic and status monitoring 错误! 未找到引用源 describes the details of traffic status and monitoring. 94

106 Table6-12 Traffic and status monitoring Name IP address Belong to Time range Displays the name of traffic status monitoring. Displays the IP address of traffic monitoring. Displays which protect type belong to. Displays the status time range DDOS defend settings DDOS defend settings is the basic configuration to all kind of attack. Select Basic> Firewall > Basic DDOS Protection > DDOS defend settings from navigation tree to enter DDOS defend settings interface, as shown in Figure Figure 6-11 DDOS defend settings Table6-13 describes the details of DDOS defend settings. Table6-13 DDOS defend settings Manual configure the threshold You can sleek the manual configure or auto-learning the threshold. Auto-learning the threshold Set the number of the threshold. To modify DDOS defend settings: Select whether to enable the manual configure the threshold and auto-learning the threshold. Set the number of the threshold in the black. After you finished the above steps, you can click the Open button, and then you can click the Ok button. 95

107 6.4.3 Protection History Protection History Select Basic> Firewall > Basic DDOS Protection > Snapshot and history > Protection history from navigation tree to enter the protection history interface, as shown in Figure Figure 6-12 Protection history Search history record IP address Specified time Figure 6-13 Global DDOS TCP configuration Figure 6-14 ICMP 96

108 Figure 6-15 Global DDOS UDP configuration Figure 6-16 Global DDOS log 6.5 Session Management Session list Select Basic> Firewall > Session management > Session list from navigation tree to enter the session list management, as shown in Figure 6-17 Figure 6-17 Session list Table6-14 describes the configuration ites of session list. Table6-14 Session list Serial number Protocol type Session status Sender Responder Displays searching result serial number. Displays the protocol type of transport layer. Displays the session status. Displays the detailed information about sender. Displays the detailed information about responder. 97