Description of company network environment:
Company access to Internet, there are 2 links. These 2 links are provided by the two ISP, respectively, telecom and netcom. Companies need to use both ISP services, that is, we often say that the load balance of network access. The purpose of this design is to ensure redundancy between different ISP services. In addition, it also reduces the bottleneck of network transmission. As well as the more advanced control details routing access to the resources of the routing direction. Such an environment is a common deployment of enterprise network operators.
ScreenOS support ECMP (Equal Cost Multi - Path/equivalent multipath) function, which supports the flow on the Path of the Cost value such as multiple load sharing;
If users have two links connected to the Internet, can be set up two static default route (Screen static routing cost value in the default is 1) respectively to jump under the two different address, and open the ECMP function, at the same time need specified number of article link load balancing; In addition to the firewall connection on the interface of two link all open NAT functionality, so all traffic will be conducted on two link load sharing translates into public IP to the Internet;
Network -> Routing -> Virtual Router -> Edit
Due to the firewall is state detection equipment, so traffic will be based on the session a polling process for load balancing; For example, if a total of 10000 sessions, if open the ECMP function on two link in, is roughly 5000 sessions from link out, about 5000 session will be out from link 2;
ECMP function has the advantage of simple configuration, but its shortcomings are also show and dissent, i.e. it can intelligently based on routing system is to allocate bandwidth, but absolutely evenly distribution in the form of polling all sessions to different links, which could lead to a certain flow can't go out the best routing; Such as user at the same time two links for telecom and netcom, ECMP open consequences may lead to the data of the regional telecommunications from netcom link out, and data from telecommunications links out to netcom area. Therefore ECMP function is most suitable for renting the same operator several links of users, or to rent a number of connectivity is good operators link to the user.
Another ECMP and a defect is incompatible with some applications; Such as application of some more connections, and the application also requires each connection from the same IP address, and open the ECMP case, probably the same user initiated a link from one out of two connection, the second connection from link son go out, lead to these applications run is not normal, the most common example is online banking, industrial and commercial bank of China mobile business hall, and online community network game system. Solution is to open the ScreenOS NAT stick "set dip sticky" function, namely the guarantee from the same source IP different session has always been translated into the same IP address, so that it can solve the problem of application compatibility;
To make traffic can choose the best route, the most direct method is based on the target address routing routing methods, such as will all go to one operator in the domain to flow manual refers to the operator on the next-hop router, and the other with a default route will the rest of the traffic to another link; Common target address route to realize load balance based on occasion is the university campus network, because the university campus network is usually have several link connected to the Internet, such as a connecting telecom, netcom, a connection, a connection education scientific research network (Cernet), and the three network connectivity between did not look good, such as from telecommunications link out to visit Cernet resources, will find that time delay is very big, very slow. Then use the routing based on the target address can ensure maximum flow to choose the best route.
Complex traffic equilibrium and a method is the way of using source address routing. Forward three layers of the device are commonly by querying the routing table (storage routing based on the target address) to implement the routing routing, and source address routing (PBR) provides another means, namely the firewall will query a predefined special routing table (PBR) routing table for routing query, when the PBR missed routing entry in the routing tables to query the default routing table; That is to say, the priority of the PBR routing table is higher than the default routing table. The PBR route in the routing table is not in accordance with the target address for routing, but on other factors; Such as the source address, source port, destination address, destination port and IP header COS field any combination of the five. So users can take advantage of this feature according to the network users and the attributes of the source address of extracts;
For example, if users to rent the two links, a bandwidth of 2 m, another bandwidth to 10 m, can put the network users are divided into 12 segment, through the PBR two segment from 2 m to send out a link, 10 other segment from 10 m link sent out in order to realize static load balancing;
Speak in front of the three ways are the direction of load balancing, namely connection initiated by outside introversion, suitable for most of the enterprise environment; But may be some users, such as providing Internet service companies, need to achieve at the same time into the direction of load balancing, which asks when Internet users initiate requests Intranet server data connection, select the nearest link access;
Commercial load balancing device (such as F5 Linkcontroller and Radware LinkProof) have a built-in small DNS server, the DNS server can monitor the change of link-state, if I found one link failure, wouldn't the DNS operator's address to the link, so as to realize the high availability of service. Of course, the price of such equipment must be far more expensive than a firewall.
Compared with the previous generation, the fourth generation of ASIC chip performance is doubled, the firewall packet processing speed (PPS) is as high as 3 million megabits per second, encryption packet processing speeds of up to 1.5 million per second, handle any size of packets at the same time guarantees the traffic low latency, this feature is critical for new applications such as VoIP. In addition, multiple embedded processor improved the denial of service attacks (DoS) protection and the function of the encrypted fragments, and through the software upgrade on the characteristics of new features in the future.
Network access control solution Topological graph
Complete wired / wireless solution topology