Peplink balance technical presentation 2012 opt by Reinaldo RR TELEINFO

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

ÂŠ 2012 Peplink

Presentation Agenda • About Peplink Balance • Internet Link Aggregation & Failover • LAN/WAN Interface

• Understanding & Setting up Drop-in mode • Peplink Complete VPN Solution & Site-to-Site VPN • Outbound Policy and Inbound Access • Inbound Load Balancing / DNS Settings • NAT Mappings / NAT Pool / QoS / WLAN Controller • Hardware High Availability and LAN Bypass • Bandwidth Usage Monitoring • Additional Capabilities • Questions and Answers

About Peplink Balance

ÂŠ 2012 Peplink

Balance Series Specifications

Model

Balance 20/30

Balance 210/310

Balance 380/580

Balance 710/1350

Power User/ Home Office

Small Business

Mid-Size Business

Large Enterprise

1-25

25-150

100-1000

500-5000+

Throughput

100Mbps

200Mbps 400Mbps

800Mbps 1500Mbps

WAN Ports

2/3

3/5

7/13

Yes

Coming Soon

50 100

250 500

Target User Recommended Users

USB WAN Support Peplink VPN Bonding AP Controller Support

ÂŠ 2012 Peplink

Coming Soon

http://www.peplink.com/

Usage of Peplink Balance • Internet Link Load Balancing & Failover • Session based for Inbound and Outbound

Proprietary and Confidential

Usage of Peplink Balance • WAN Bonding • Packet based load balancing

• Single TCP/IP session can utilize all WAN links • Using Peplink Site-to-Site VPN technology

Proprietary and Confidential

Idea of Peplink Balance • Outbound • Access a server on Internet (WAN) side from LAN, and the server returns the web data back to LAN

• Inbound • A computer from Internet (WAN) access a web server on LAN. The web server returns the data back to Internet client

Idea of Peplink Balance • Outbound Load Balancing & Failover • Controlled by Outbound Policy

• Peplink will distribute the outbound sessions to different WAN links automatically

• Inbound Load Balancing & Failover • By using build-in authoritative DNS

Internet Link Aggregation & Failover

ÂŠ 2012 Peplink

Internet Link Aggregation & Failover • Scenario: • A Peplink Balance unit • Three 1 Mbps Internet Links • All links are operational

Local Area Network

Internet Link Aggregation & Failover • Scenario: • A Peplink Balance unit • Three 1 Mbps Internet Links • One link down: ISP A

Local Area Network

WAN/LAN Interface

ÂŠ 2012 Peplink

WAN • DHCP, PPPoE and Static IP Address • 1 x USB Mobile Connection

WAN • WAN link Health Check • Determine whether the ISP link is routable to Internet.

• Methods: Ping / DNS Lookup / SmartCheck • Ping – issue ICMP PING packets to test connectivity • DNS Lookup – DNS lookups will be issued to test connectivity with target DNS servers. • SmartCheck – applies only to USB mobile connection. It is optimized for mobile networks with high traffic latency © 2012 Peplink

WAN • Bandwidth Allowance Monitor • Designed for non-unlimited link (eg: Satellite, 3G) • Alert user when usage hits 75%/95% via Email • Disconnect when hits 100% allowance • Selectable billing cycle date

Proprietary and Confidential

LAN • DHCP server • DHCP reservation

• DHCP Option • LAN static route

• Local DNS Proxy • WINS server

Drop-in mode

ÂŠ 2012 Peplink

Drop-in Mode • Before the installation of Peplink Balance: • The network is connected to the ISP via a Router outside of the Firewall.

Drop-in Mode • Installation Phase 2: • Additional Internet links are installed. • Peplink Balance intelligently performs load balance and failover among the multiple links.

Non-disruptive Installation • Real-world considerations when installing network devices: • Re-configuration of components

• Risk isolation • Back-out strategy

• “Drop-in Mode” - an installation method designed to minimize disruption to the existing network.

Drop-in Mode • Requirement • An additional IP address is required for Drop-in Mode Peplink Such as: 210.10.10.3 210.10.10.2/24

192.168.1.0/24

Proprietary and Confidential

210.10.10.1/24

Drop-in Mode • Network > Interfaces > LAN

Drop-in Mode • Installation Phase 1: • Pre-configured Peplink Balance is “dropped in” between the Firewall and ISP Router. • The LAN clients, Firewall, and ISP Router maintain the same configurations.

210.10.10.1/24

210.10.10.3/24

210.10.10.2/24

192.168.1.0/24

Drop-in Mode • Installation Phase 1: • LAN and WAN1 of Peplink uses 210.10.10.3 210.10.10.1/24

210.10.10.3/24 210.10.10.2/24

192.168.1.0/24

Drop-in Mode • Installation Phase 2: • Configure WAN2 and WAN3 210.10.10.1/24

210.10.10.3/24 210.10.10.2/24

22.2.2.2/28 22.2.2.1/28 33.3.3.2/30

33.3.3.1/30

192.168.1.0/24

Difference between Drop-in and NAT • NAT Mode • All WAN links are in NAT mode • Traffic goes over a NAT’ed WAN, its source IP will be translated to the IP of corresponding WAN link • Drop-in Mode: • Peplink will bridge one of the WAN link and LAN segments • For other WAN links, they will act as NAT

Peplink Complete VPN Solution • Build-in PPTP Server • Proprietary Site-to-Site VPN • Bonding • Failover

• Network-to-Network IPsec VPN

Peplink Site-to-Site VPN • Key Features • VPN Bonding

• VPN Failover • Built-in Automatic Routing Protocol

• 256-bit AES Encryption • Easy configuration via Web Admin

Peplink Site-to-Site VPN • Allows VPN traffic to load balance across multiple connections (Balance 210/310/380/580/710/1350) • Two Suggested connection scenarios

Mesh Scenario

Star Scenario

Peplink Site-to-Site VPN Bonding • Aggregate all WAN connections’ bandwidth • Traffic load balanced at packet level

• Automatic failover during WAN link failure

Peplink Site-to-Site VPN Bonding Configuration of Branch A

1824-ABCD-1234

Configuration of Branch B

1824-1234-ABCD

Subnet A

Subnet B

192.168.50.1

10.10.10.1

Subnet should be different between two locations ÂŠ 2012 Peplink

PPTP Server â&#x20AC;˘ Allows Windows / Mac connect on public Internet to internal LAN natively

ÂŠ 2012 Peplink

Proprietary and Confidential

PPTP Server • Authenticate PPTP user via • Local User Account (Stored in Peplink itself)

• External LDAP Server • External Radius Server

Proprietary and Confidential

Outbound Policy

ÂŠ 2012 Peplink

Outbound Policy • 3 different Outbound Policies • Rule Based Custom Rules • Seven load balancing algorithms Click

•Click to add/edit custom rules •Drag and Drop to re-order the priority of rules

to delete a custom rule

Outbound Policy • Weighted Balance • Distribute the traffic across different WAN links based on the weight. • 10:5:1 means • 10 Sessions (10/16) will be across WAN1 • 5 Sessions (5/16) will be across WAN2 • 1 Session (1/16) will be across WAN3

Outbound Policy • Persistence • Make the specified types of traffic to always be routed through a particular WAN link based on source or destination IP address(es). • Example usage: • Secure login session such as HTTPS.

Outbound Policy • Enforced • Route the specified traffic through a single WAN connection/VPN Profile only, regardless of WAN link up/down status. • Example usage: • Restricting outbound SMTP traffic to one specific WAN link.

Outbound Policy • Priority • Distribute the traffic in the specified order.

• Highest-priority available WAN link/VPN profile will be used first. • Lower-priority WAN links will be used when higher-priority WAN links become unavailable.

Outbound Policy • Overflow • Route the traffic to a lower priority link when the highest priority link has been congested.

• Least Used • Route the traffic to the most available WAN link according to download usage.

• Lowest Latency • Route the traffic to the lowest latency WAN link

• Periodic latency checking will be performed to determine the latency

Outbound Policy • VPN Connection can be selected as Outbound Connection • Selected traffic will be routed across VPN Connection with Priority and Enforced Algorithms

Inbound Access

ÂŠ 2012 Peplink

Inbound Access â&#x20AC;˘ Also known as: Inbound port forwarding / Inbound port address translation

ÂŠ 2012 Peplink

Inbound Access • A web server located on LAN with physical private IP 192.168.1.100 • Existing firewall is doing Inbound NAT for 210.10.10.100 to forward to 192.168.10.100

Web Server LAN IP: 192.168.1.100 Public IP: 210.10.10.100

Inbound Access • To allow access the web server via WAN2 and WAN3, the Inbound Access rules are required.

Web Server LAN IP: 192.168.1.100 Public IP: 210.10.10.100

Inbound Access • Network > Inbound Access > Servers

• Network > Inbound Access > Services

Inbound Load Balance • Inbound Load Balancing distributes inbound traffic across multiple WAN links by using buildin DNS server. • Balance DNS server is required to be an authoritative DNS of the domain. • Eg: foobar.com

Inbound Load Balance • The DNS query result of www.foobar.com will be • Name: www.foobar.com • Addresses: 210.10.10.100, 22.2.2.2, 33.3.3.2

• If ISP2 goes down, the DNS query result will be • Name: www.foobar.com • Address: 210.10.10.100, 33.3.3.2 210.10.10.100

22.2.2.2

33.3.3.2

DNS Settings • Enable DNS listener • Create “Default SOA/NS”

DNS Settings • Define “Default SOA/NS Records”

DNS Settings • Create domain name “foobar.com”

DNS Settings • Create A Record Click to Create a new A Record

Enter the host “www”

Select the IP address on multiple WAN links for “www”

One-to-One NAT Mappings • Allow the IP address mapping of all inbound and outbound NAT’ed traffic to and from an internal client IP address. Click to delete a NAT rules

Click to add/edit NAT rules

NAT Pool • A range of LAN IP address or a LAN subnet can be mapped to multiple IP public IP address as source IP for their outbound traffic.

QoS

ÂŠ 2012 Peplink

QoS • User Group Based Classification • Manager

• Staff • Guest

• Add/Edit User Group by • IP address or Subnet IP

QoS • Control Group Reserved Bandwidth • Reserve minimum bandwidth for user groups

• Control Per-user Bandwidth Limit • Define maximum bandwidth for each user of the groups

QoS • Traffic Prioritization for default and custom applications • 3 Priority levels: ↑High, ━ Normal, and ↓Low • Support different kinds of applications liked Email, VoIP • Based on TCP/UDP/IP/DSCP

Hardware High Availability

ÂŠ 2012 Peplink

Hardware High Availability • Peplink Balance 210/310/380/580/710/1350 support High Availability via VRRP, Virtual Router Redundancy Protocol: • A pair of Peplink Balance units work together. • One unit is Active. • The other unit is on Stand-by.

Hardware High Availability • In the event of Active unit fails: • The Stand-by unit becomes Active. • New Active unit re-establishes Internet connections. • Outage is minimized.

Hardware High Availability • Each unit has their own LAN IP address and use a same Virtual IP. • For non-drop-in mode, the VIP will be the default gateway of LAN hosts • For Drop-in mode, WAN1’s default gateway will be the default gateway of LAN hosts

192.168.1.3

Configuring HA for Slave unit

192.168.1.2

LAN Bypass

LAN1

WAN1

LAN Bypass • Available in Peplink Balance 580/710/1350 • LAN Bypass is a fault-tolerance feature that protects you in the event of power outage. • When used with Drop-in Mode, such failure would be completely transparent to the network. • In the following example, WAN1 and LAN1 ports are bridged together when the power runs out.

Bandwidth Usage Monitoring

ÂŠ 2012 Peplink

Bandwidth Usage Monitoring • Show the bandwidth usage statistics • Three periods of statistics: Real-Time, Daily, Monthly • Usage will not be shown at the time when device had been switched OFF • Real-Time • Click Show Details to view the usage of different WAN or type of traffic

Bandwidth Usage Monitoring • Daily • Detailed usage statistics of ALL WAN with IP Address can be shown by clicking corresponding Date • A selected WAN usage can be shown in billing cycle when the bandwidth allowance monitor of that WAN is enabled

Bandwidth Usage Monitoring • Monthly • Detailed usage statistics of ALL WAN with IP Address can be shown by clicking the first two Month rows • A selected WAN usage can be shown in billing cycle when the bandwidth allowance monitor of that WAN is enabled

Additional Capabilities

ÂŠ 2012 Peplink

Additional Capabilities • E-mail notification: • Send email to user for any WAN up/down event, Site-to-Site VPN, HA status.

Additional Capabilities • Rule-based stateful Firewall: • Support for an unlimited number of rules. • Drag and drop user interface

Additional Capabilities â&#x20AC;˘ Reporting Service

ÂŠ 2012 Peplink

Contact Support • Detail description of the issue • Network Diagram with detail IP address scheme • Troubleshooting steps that you performed • Diagnostic Report of related units (eg: S2S VPN) • Remote Assistance of related units (eg: S2S VPN)

• Send email to “priority.support@peplink.com”

Proprietary and Confidential

Diagnostic Report • Obtain Diagnostic Report via “Status > Device”

Proprietary and Confidential

Additional Support Information • Support Information Page contains • LAN/WAN Ethernet details • Remote Assistance • Network Capture • Realtime information of WAN Health Check

Proprietary and Confidential

Additional Support Information • Support Information Page contains • LAN/WAN Ethernet details • Remote Assistance • Network Capture • Realtime information of WAN Health Check

Proprietary and Confidential

Peplink United States Office

•

800 West El Camino Real Mountain View, CA 94040 United States Tel: Fax:

•

Tel:

+27 12 665 5829

Peplink Hong Kong Office

Tel: Fax:

+852 2990 7600 +852 3007 0588

Peplink Italy Office Via Sismondi 50/3 20133 Milan Italy Tel:

•

Unit 24, Cambridge Office Park, 5 Bauhinia Street, Highveld, Centurion, South Africa

+1 (866) 463 0129 +1 (866) 625 4664

17/F, Park Building 476 Castle Peak Road Cheung Sha Wan Hong Kong

•

Peplink South Africa Office

+39 02 8986 6852

Peplink Saudi Arabia Office Queen’s Tower 24th Floor, Jeddah Saudi Arabia Tel:

+966 504336952

•

Sales: http://www.peplink.com/contact/sales/

•

Support: http://www.peplink.com/contact/support/