LinkProof Web Lab manual
LinkProof Lab 1 - LinkProof initial configuration (Required)
Lab Goals:
? Using the serial cable provided, connect to the LinkProof using HyperTerminal (or similar application)
? Apply the required minimum settings through the Startup Menu to allow APSolute connectivity
? Configure and test Telnet access
? Configure and test Web Based Management
? Review the various options and settings available through the initial command line menu
Note: The LinkProof will apply a default configuration if you do not intervene at the Startup Menu within 30 seconds. Please make certain you pay attention when you initially start the device to avoid delaying the class while the instructor has to erase the default configuration. You can simply hit enter when the Startup Menu appears and the device will not apply a default config.
The default configuration will apply the following:
Interface 1 = 192.168.1.1 mask 255.255.255.0
Username and Password = radware
Step-by-step:
1. Attach the enclosed serial cable to the port on the LinkProof and attach the other end to a communication port on the management PC.
2. Open HyperTerminal and create a new connection.
3. Select the communication port that the Radware device is connected to.
4. Set the following values:
5. Power on the device and note the various messages during the boot process.
6. When the unit has completely finished the initial start-up process, you should see a menu like the one below. If you do not, ask your instructor to erase the unit’s configuration so that you can start from scratch.
Startup Configuration
0. IP address
1. IP subnet mask
2. Port number
3. Default router IP address
4. RIP version (0,1,2) [0]
5. Enable OSPF (y/n) [n]
6. OSPF aread ID
7. User Name
8. User Password
9. Enable Web Access (y/n) [n]
10. Enable Secure Web Access (y/n) [n]
11. Enable Telnet Access (y/n) [n]
12. Enable SSH Access (y/n) [n]
13. SNMP Configuration
7. Assign the values that your instructor has provided for your device unit using the following table:
Note: For those items on the list that are not applicable for this initial startup phase, you can hit the
settings to them.
8. When you have entered the appropriate information for this section of the Startup Menu, you will see another sub-menu for SNMP Configuration. Simly hit
SNMP Startup Configuration
0. Supported SNMP versions [1 2 3] 1 2 3
1. Community [public] public
2. SNMP root user radware
3. Privacy Protocol (NONE/DES) [NONE] NONE
4. Privacy Password ********
5. Authentication Protocol (NONE/SHA/MD5) [NONE] NONE
6. Authentication Password ********
7. NMS IP address 0.0.0.0
8. Configuration file name
9. When you have filled in this menu, you will be returned to the previous one. If the configuration is correct, confirm the reboot process and allow the device to restart.
10. When the device has finished restarting, you will have to log in to the unit by typing
login. The default username and password for CLI access to the LinkProof is
“radware” (without the quotes). When you have logged in, use the question mark (“?”) to display the commands.
11. You should see a list of commands similar to the one below:
bwm Policy management and classification
classes Configures traffic attributes used for classification
device Device Settings
health-monitoring Advanced Health Monitoring
help Displays help for the specified command
login Login into the device
logout Logout of the device
lp LinkProof parameters
manage Device management configuration
net Network configuration
nslookup Queries DNS
ping Ping a remote host
reboot Reboot the device
redundancy Redundancy settings
security Security settings
services General networking services
ssh SSH to a remote host
statistics Device statistics configuration
system System parameters
telnet Telnet to a remote host
statistics Device statistics configuration
system System parameters
Note: Generally speaking, the majority of configuration throughout this training manual is based on APSolute Insite use. It is quite possible to use the command line interface to configure a Radware device completely; however, it is often nearly impossible to direct the efforts of numerous students (some of whom may have particularly fat fingers) in the use of the CLI. Time permitting, your instructor may offer the option of working exclusively in the CLI if you desire.
10. Create two new IP addresses for interface 2. Use the following command and substitute your team’s appropriate values:
net ip-interface create
All network masks are Class C – 24 bit (255.255.255.0)
On each LinkProof, you will need to create two IP addresses on Interface 2. Use the same command a second time to add the second address.
When you are finished, use the command net ip-interface to make sure the unit shows the appropriate interface addresses.
Your device should have the following entries:
11. From the command line, ping various hosts on either side of the device to make sure you have basic netwo rk connectivity. Ping your laptop’s IP address from the LinkProof and from the LinkProof ping the the two routers it will be load-balancing. Take a look at some of the CLI commands available. Feel free to ask your instructor questions about these functions, but bear in mind that almost all of the commands available here will be accessible through APSolute.
12. Enable Telnet access on the device. From the CLI, enter the following command: manage telnet status set 1
13. Create a username and password so that you can access the device through Telnet or you can use the default username and password of “radware”: manage user table create alpha -pw alpha Use your team’s name for the username and password (alpha, beta, gamma, delta).
14. Open a Telnet session to your device and supply the appropriate username and
password. Hit any key (except
15. Enable Web Based Management. From the CLI or from your Telnet connection, enter the following command: manage web status set 1
16. You can now open a browser from your workstation and enter the ip address of your LinkProof. You should be prompted for a username and password. Use the username and password that you created in step 11. It may take a few moments for the browser to load the applets that will give you access to various functions on the device so be patient. If you want to change the port on w which the device will accept web access, you may do so through either the CLI or through Telnet. The default port is 80, and can be changed to any other port (don’t use reserved ports since that may affect other features). In the example below, we can change the device to accept web based access through port 8001: manage web server-port set 8001 Doing so will require that you change the address you supply in your browser so that the destination port is appended to the end of the URL: http://192.168.1.15:8001
17. Enter the following command on the LinkProof in order see traps not only through a serial connection to the unit, but also when you have a telnet or SSH connection.
manage terminal traps-output set 2
1
18. Configure the WSD with a DNS server to use for lookups:
services dns client primary-server set 4.2.2.2
Note: As a general rule, you will find it helpful to leave one of your workstations connected to the LinkProof through the CLI for the duration of the labs. There are a number of traps and error messages that the device will generate through the CLI and these can useful for trouble-shooting.
LinkProof Lab 2 – Next Hop Routing Configuration for LinkProof (Required)
Lab Goals:
? Using Internet Explorer, connect to your device
? Configure a default gateway for the device
? Adding the next hop router table
? Enable Smart NAT
? Review various parameters and settings available for both devices
1. Start a web browser and for the address, type in the IP of your LinkProof.
2. When prompted for a username and password, use radware for both.
3. On each LinkProof, create an entry in the routing table for the LinkProof’s default gateway. Under Router ? Routing Table, insert a new row and from the drop-down list for If Num, select F-2. Leave the “Dest IP Address” and “Network Mask” fields set
to 0.0.0.0. For the Next Hop, enter the IP of either of the routers your device will load balance.
Figure 86 - LinkProof Routing Table
4. Under LinkProof ? Next Hop Routers ? Next Hop Router Table, create two new entries, one for each of your two NHRs.
5. When complete, your tables on each LinkProof should look like this:
Figure 87 - LinkProof NHR Table
6. Under LinkProof > Global Configuration ? General, examine the available settings. You don’t need to change any of these values, but they are explained
below:
NHR Admin. Status – The status of LinkProof; can be either of the following options:
Enable - LinkProof is active. All users are balanced between the next hop routers.
Disable - LinkProof is inactive. Clients connecting to the device will be sent to the default next hop router.
Dispatch Method - The method used to determine to which next hop router the traffic will be directed. Note that when port rules are enabled, only NHRs accessible via the designated port will taken into account.
Cyclic - Directs traffic to each next hop router one by one (round robin).
Least Amount of Traffic - Directs traffic to the next hop router with the least
traffic (in packets).
Fewest Number of Users - Directs traffic to the next hop router with the least
amount of users.
NT-1 - Queries the firewalls for Windows NT SNMP statistics. According to the reported statistics, FireProof redirects the clients to the least busy firewall. To use
this method the firewalls must be firewalls for Windows NT. The parameters are considered according to the weights configured in the first Windows NT weights scheme (see the Windows NT Weights Table).
NT-2 - Similar to NT-1, but uses the second weights scheme.
Private-1 - Queries the Firewalls for private SNMP parameters, as defined in the
first private weights scheme (see the Private Weights Table). The ratios of users
on the firewalls will be balanced according to the reported statistics.
Private-2 - Similar to private-1, but uses the second weights scheme.
Least Bytes Number - Directs traffic to the next hop router through which the
least number of bytes has passed.
Hashing - When selected, the LinkProof performs a static Hash function in order
to select a firewall for this session. The input for the hash function is determined
by the Client Table mode, and can be either source and destination IP addresses,
source and destination IP addresses and ports, source IP only, or destination IP
only. This is a static method where the next hop router is chosen for a session
purely by the session information. This method is symmetric, which means that it provides the same output when the source and destination addresses are
switched, for example, a packet from A to B will result in the same Hash output
(i.e., next hop router) as the reply packet from B to A.
Client Aging Time - The amount of time a non-active client is kept in the clients table (in seconds). As long as a client is kept in the clients table, the client will be attached to the same next hop router.
Client Connect Denials - Indicates the number of connection requests from clients that were denied by the dispatcher.
Timeout for SYN - This feature improves the LinkProof's SYN attack resilience. Enter the number of seconds that the LinkProof assigns to a new session started by a SYN packet (the default is 'Regular aging time'). The value can be a number between 1 and 10.
'Regular aging time' indicates that this feature is disabled (i.e. every new session will be assigned the user configured aging time from its beginning).
Translate Outbound Address to Virtual Address - When using virtual IP addresses (see above), determines how addresses from the next hop router will behave.
Enable - changes NAT addresses to virtual IP addresses.
Disable - does not change NAT addresses.
Fragmentation Table Aging Time - The amount of time that an entry remains in the Fragmentation Table. This table holds per each source IP, destination IP and Fragment ID, the real source and destination ports of UDP/TCP. A new entry is inserted to this table when the first fragment arrives. The checksum of the first fragment is updated correctly, according to the IP addresses changes needed. Using this table, the device can identify the correct source/destination ports for every fragment that arrives later, and NAT them properly. The entry is removed from the table when the last fragment of the packet is received.
7. Go to LinkProof ? Global Configuration ? Connectivity Check. This area allows you to modify settings related to the health checks for firewalls.
8. Change the Polling Interval from 10 to 5. This setting instructs the LinkProof to check each device once every 5 seconds.
9. Change the Number of Retries from 5 to 3. This setting means that a device (firewall or router) can fail three consecutive health checks before the LinkProof will confirm
that it is unavailable and will no longer load-balance traffic to it.
10. Leave the other settings as they are.
11. Go to LinkProof ? Global Configuration ? Smart Nat, and enable SmartNAT.
12. Go to LinkProof ? Smart Nat ? Dynamic NAT Table, and create a new entry in the table. The entries here will instruct the LinkProof to use specific NAT addresses
for ISP_1 on its network and specific NAT addresses for ISP_2 on its network.
These addresses will be used for outbound client traffic and can be described as “many-to-one,” since the LinkProof will use one address when performing NAT for
many clients.
13. Configure your device to use a de dicated NAT address from each of the NHRs’networks:
14. When complete, your Dynamic SmartNAT Table should look like this on each LinkProof:
Figure 89 - LinkProof Dynamic Smart NAT Table Entries
15. Make certain that your workstation laptop has its default gateway set to your LinkProof.
LinkProof Lab 3a – Proprietary Redundancy
1. On the Active LinkProof, go to LinkProof ? Redundancy ? Global
Configuration and Enable Interface Grouping.
Figure 91- Active LinkProof Global Redundancy Settings
This setting instructs the Active LinkProof to disable all its interfaces if it should
lose connectivity on any of them. This will allow the Backup LinkProof to take
over for all interfaces on its Active Partner.
2. On the Backup LinkProof, go to LinkProof ? Redundancy ? Global Configuration
and change the IP Redundancy Admin Status from Disabled to Proprietary. This setting tells the Backup LinkProof that it will be monitoring another LinkProof. We will give the Backup LinkProof specific information about its Active partner in the steps below.
3. On the Backup LinkProof, go to LinkProof ? Redundancy ? IP Redundancy Table and insert a new row. There are four settings here:
1. Interface IP Address - this will be one of the configured IP addresses available
on this LinkProof.
2. Primary Device Address - this is the address of the corresponding interface on this network for the Alpha LinkProof.
3. Poll Interval - How long between ARP requests
4. Time Out - How long to wait for an ARP response
The Interface IP Address area is for the IP address of this backup device. The Main Router Address, is the IP address of the Active LinkProof on that network. Set the
“Time Out” to 5. Repeat these steps for the other interfaces on the Backup LinkProof, substituting the appropriate addresses for the Active device. When complete, you
should have three entries in the IP Redundancy Table on the Backup LinkProof like
this:
Note: you do not need to create entries in the IP Redundancy Table on the Active LinkProof since it is not backing up another device.
4. On the Active LinkProof, enable Mirroring. Go to LinkProof ? Redundancy ? Mirroring ? Active Device Parameters. Enable Client Table Mirroring and set the “Percentage of Client Table to Backup” to no more than 20. This means that the
newest 20% of entries in the Client Table on the Active LinkProof will be mirrored to
its Backup partner. The Client Mirror Update Time is how often (in seconds) this mirroring will take place.
Also Enable Proximity Table Mirroring. The active LinkProof can also mirror its
Proximity Table to its backup partner. This table keeps track of which router is faster
or closer based on destination hosts or inbound client locations. We will discuss this feature in more detail later in this manual:
Figure 95 - Active LinkProof Mirroring Settings
5. On the Backup LinkProof (Beta), go to LinkProof ? Redundancy ? Mirroring ? Backup Device Parameters. Set the Mirroring Status to Enabled. Create a new
entry under “Backup Device Mirroring Parameters” and type in the IP address of
either interface on the Active LinkProof in the “IP Address of the Active Device:”
Figure 95 - Active LinkProof Mirroring Settings
5. On the Backup LinkProof (Beta), go to LinkProof ? Redundancy ? Mirroring ? Backup Device Parameters. Set the Mirroring Status to Enabled. Create a new
entry under “Backup Device Mirroring Parameters” and type in the IP address of
either interface on the Active LinkProof in the “IP Address of the Active Device:”
Figure 96 - Backup LinkProof Mirroring Settings
6. Test failover between the devices by setting up a continuous ping from the workstations to hosts beyond the routers. Unplug one interface on the Active
LinkProof. On the Backup LinkProof, go to LinkProof ? Redundancy ? IP
Redundancy Table and the entries in here should change from InActive to Active.
You should see a brief interruption in the ping traffic from the workstations but it
should resume when the Backup LinkProof takes over:
Figure 98 - Backup LinkProof Taking over for downed Active LinkProof
7. From your workstations, use the command arp –a to view the MAC address assigned to their default gateway. It should be that of the Backup LinkProof (under Device > Device Information – Base MAC Address).
Plug the connection back in for the Active LinkProof and the use the arp –a command from the workstations again. The MAC address for their gateway device should now
be that of the Active LinkProof.
8. There are additional settings on the Backup LinkProof (such as the Dynamic and Static SmartNAT addresses) that need to be set to “Backup” mode. For more specific information about configuring a backup LinkProof, see the document “Configuring LinkProof Redundancy.”
LinkProof Lab 3b – VRRP Redundancy
1. Go to LinkProof ? Redundancy ? Global Configuration. Change the IP Redundancy Admin Status to VRRP.
2. On the Active LinkProofs (Alpha and Gamma), enable Interface Grouping.
3. When complete, you settings should look like the ones below:
Figure 99 - Active LinkProof Redundancy Settings
Figure 100 - Backup LinkProof Redundancy Settings
4. Go to LinkProof ? Redundancy ? VRRP ? VR Table and create a new entry. This table will contain the Virtual Routers (VR) that both the Active and Backup Linkproofs will share. Since we have two ports in use on the LinkProofs, we will
create 2 VRs in this table, one for each port.
Port Index – this corresponds to the physical port that this VR will reside on
VR ID – each VR needs to have its own unique ID number (from 1 to 99)
Priority –the device with the higher Priority will be the “Master” for this VR.
Use the table below to populate the correct values:
Create another entry in the VR Table for the second VR on the second LinkProof port
in use:
Device Port Index VR ID Priority
Make certain that you set the Priority for the Backup LinkProof lower than the Active LinkProof.
6. When complete, your VR Tables should look like the following:
Figure 101 - VR Table
On both LinkProofs, go to LinkProof ? Redundancy ? VRRP ? Associated IP
Addresses, and insert a new row.
We will use this table to “associate” IP addresses to the VRs we created above.
These IP addresses will reside on the Master device and their MAC address(es) will correspond to the VR we created on each box (remember that the VR Mac is identical on both the Active and Backup device.
Use the table below to create the entries for this table on your device:
Alpha Associated IP Addresses
Port Index VR ID Associated IP
F-1 1 192.168.1.1
F-2 2 1.1.1.1
F-2 2 2.2.2.1
F-2 2 1.1.1.10
F-2 2 2.2.2.10
8. When complete, you Associated IP Address Table should look like one of the following:
Figure 103 - Associated IP Addresses
Note that all the IP addresses we are associating with these VRs are ones that belong to the Active LinkProof. We want these IP addresses to be available no matter which LinkProof is the Master. This includes Static and Dynamic SmartNAT addresses, Virtual DNS Addresses, Remote VIPs, Virtual Ips, etc.
9. On the ACTIVE LinkProof, go to LinkProof ? Redundancy ? VRRP ? VR Table and change the Admin Status for each entry from down to up. Do this on the Active LinkProof first. The State should change from Initialize to Master.
10. On the BACKUP LinkProof, go to LinkProof ? Redundancy ? VRRP ? VR Table and change the Admin Status for each entry from down to up. Make sure this has
been done on the Active device first. The State should change from Initialize to Backup.
11. You or your instructor may have to check and clear the ARP tables on some of the equipment in the lab to make certain that all devices now have the VR MAC listed for the associated IP addresses instead of that of the Active LinkProof. Remember, we want a shared MAC address associated with the IP addresses in use.
12. Test failover by setting up a continuous ping to an outside host and then disconnecting a port on the Active LinkProof. The Backup LinkProof should take over with only a brief interruption of traffic.
LinkProof Lab 4 – Device Management for LinkProof
1. Connect to your LinkProof and go to LinkProof ? Next Hop Routers ? Next Hop Routers Table.
2. Edit your devices one at a time by clicking each row in the table:
Note the various settings available here:
Admin Status = enable, disable or shutdown (no new sessions)
NHR Priority = weight of this device relative to others (1-100)
Kbits Limit = total limit for both inbound and outbound traffic
Inbound Kbits Limit = total limit for inbound traffic
Outbound Kbits Limit = total limit for outbound traffic
NHR Mode = Regular or Backup
Connection Limit = Maximum number of users that can be sent to device
NHR MAC Status = Indicates whether the Radware unit has detected the
router
NHR Port Number = Indicates what port the router is connected on
NHR Proximity Check Status = Should the LinkProof calculate Proximity
through this Next Hop Router
3. On the LinkProof go to LinkProof ? NHRs Advanced Configuration ? Next Hop Routers. You should see a table with your routers in it.
Figure 105 - LinkProof NHR Advanced Configuration
4. Edit the devices one at a time by clicking their rows. For each router, set the Recovery Time to 10 and the WarmUp Time to 10. Set these values and close the table.
5. Enable Remote Connectivity Checks that will instruct the Radware device to check through your routers to a remote point.
On the LinkProof, go to LinkProof ? Next Hop Routers ? Full Path Health Monitor Table, and create two new entries.
6. There should already be a entry in this table listing the router and it’s interface. Insert
a new row and enter the external address of this or router. Repeat this for the other devices in the table. When complete, each entry for Full Path Health Monitoring should look like these:
Figure 106 - LinkProof Full Path Checks
Note: The check addresses for the two NHRs may differ from the ones shown above depending on the lab configuration your instructor has set up.
7. Unplug the external connection from one of the Routers.
8. Open the NHR Table (LinkProof ? Next Hop Routers ? Next Hop Routers Table). Periodically refresh the screen by clicking the far-right button with the yellow
up arrow. You should see the Operation Status change from Active to NotInService. When the status for the device changes, go to LinkProof ? Next Hop Routers ? Full Path Health Monitor Table. Note at which point the device has failed.
9. Plug the connections for the router back in.
10. Enable Source Grouping. Go to LinkProof ? NHR Advanced Configuration ? Grouping ? Source Grouping.
11. On the LinkProof, configure the device to send traffic from your workstation through Router_1. Also, configure Router_2 as the backup router to use for this source group
if Router_1 fails.
We will use a network mask of 255.255.255.255 so that the entry is treated as a
single host. In practice, these entries would have entire subnet ranges:
Figure 107 - Source Grouping
As you are inserting information, note that there are settings for Operational Mode
of either regular or backup4. When setting these grouping restrictions, it is
important to make at least one next hop router backup for any regular entries.
12. Test Grouping on the LinkProof by opening sessions to hosts beyond the routers. Open the Client tables on the Active LinkProof to see which clients have been sent to which devices.
LinkProof Application Grouping
The LinkProof can also be configured to send traffic out different routers based on the Application (Destination Port) a client is using. For example, web traffic can be sent out Router_1 while DNS traffic can be sent out Router_2
14. Delete the Source Grouping entries from the LinkProof.
15. Change the Client Mode from Layer 3 to Layer 4 by going to LinkProof ? Global Configuration ? Client Table. This setting will be covered in more detail later, but it is necessary for this particular feature.
16. Go to LinkProof ? NHRs Advanced Configuration ? Grouping
? Application Grouping and insert a row into this table.
17. For Application Port Number, enter 80 (HTTP), and for the Next Hop Router IP Address use 1.1.1.100.
18. Create a second entry and for port 80, and configure Router_2 as backup for this type of traffic.
19. Create a new entry and this time for Application Port Number, enter 53 (DNS), and and for the the Next Hop Router IP Address use 2.2.2.200.
20. Create a second entry and for DNS, configure Router_1 as backup for this type of
traffic.
21. When complete, your Application Port Grouping table should look like this:
Figure 109 - Application Port Groupings
22. Test your configuration by opening browser sessions to hosts and then check the client table (through the CLI) to view which type of traffic was sent through which
router.
LinkProof Destination Grouping
When necessary, the LinkProof can be configured to send traffic out to a certain destination host, network or networks through only certain routers. This can be accomplished by creating a group of routers for that particular destination, hence the term Destination Grouping.
13. Delete the existing Application Grouping entries on the LinkProof under LinkProof ? NHRs Advanced Configuration ? Grouping ? Application Grouping.
14. For this exercise, you will create two groups of routers, but because we only have a pair of routers to work with, each group will only contain one Active router for the destination network. You will configure the LinkProof to use Router_1 for traffic
destined to the 4.2.2.0 network and Router_2 for traffic destined to the 209.218.228.0 network.
15. Go to LinkProof ? NHRs Advanced Configuration ? Grouping
? Destination Grouping.
16. Create two entries here and use the table below for reference:
Destination IP Network Mask NHR IP Address Operational Mode
4.2.2.0 25
5.255.255.0 1.1.1.100 Regular
209.218.228.0 255.255.255.0 2.2.2.200 Regular
17. Your table should look like this: