AscenLink_Whitepaper

V10, 2004/6/14 Page 1 of 20 AscenLink® Technical White Paper Auto Routing Overview AscenVision understands that the current role of network services in the business world is not merely a form of communication, but also a service provider for the company’s everyday operations. Aside from providing important services for the company, the network also needs to be constantly monitored to ensure that it is maximizing the use of the resources, as well as lowering the cost of operations to provide the company with an edge amongst other competitors. Ascenvision Technology has long been committed to providing networks with high availability, load balancing, and well-managed bandwidth. If your network environment is comprised of systems provided by various ISP’s, Auto Routing, an intelligent routing function for networks, is your solution to an optimal network environment. Auto Routing effectively controls all outbound traffic flows through AscenLink® and adds more resilience, higher availability, and better load balancing to your existing systems. Features With Auto Routing, you can control how packets are delivered to WAN and you can also define policies for routing and load balancing. A more sophisticated planning down to the 3rd and 4th layers on network protocols, which includes source and destination, as well as all ports, can also be achieved to streamline the outbound flows. The configuration of Auto Routing is straightforward and only requires setup for Policies and Filter. Policies enable you to define the way Auto Routing operates and Filter is used as a criterion to trigger the Policy activation. Method of Operation Under the Auto Routing settings, you can specify the following: V10, 2004/6/14 Page 2 of 20 1. The WAN links which the packets will use in the outbound traffic 2. The links which will perform load balancing and fault tolerance. 3. The details of the information in layer 3 and layer 4 of the network protocol that will be used to create the policies, such as source, destination, and all ports. Auto Routing can be summarized as: Auto Routing = Filter + Policy + Fail-Over Policy 1. Filter : The settings in a filter includes: a. Schedule: All-Time, Busy Hour, Idle Hour b. Source and Destination IP Addresses c. Service Ports Any network data flow which matches the information in the filter will automatically be qualified for auto routing. 2. Policies: Deciding which algorithm will be used to distribute the load on the WAN links for outbound traffic. a. Fixed b. Connection c. Round-Robin d. Round-Robin with Weight e. Downstream Traffic f. Upstream Traffic g. Total Traffic 3. Fail-Over Policy: When the associated links have all failed, this policy will select which paths can be used by the network traffic. V10, 2004/6/14 Page 3 of 20 Example In the illustration above, a company uses AscenLink® to integrate 4 ISPs, which together provide the total bandwidth of the network. To enhance availability and load balancing, “Policies” can be defined so that the first three lines can serve as primary connections and apply load balancing algorithm. “Filter” is subsequently set up, corresponding to routing policies, with the 4th line designated as the “Fail-over Policy”. Under such setting, the first three lines share all traffic when the system operates normally, as shown in Illustration 1. The 4th line is activated to mitigate the risk of the system disconnecting should the above-mentioned three lines fail, as shown in Illustration 2. Illustration 1 V10, 2004/6/14 Page 4 of 20 Illustration 2 Summary Auto Routing enhances stability as well as optimization in your network connection with straightforward configurations. It not only equips your network with availability and load-balancing features, but also allows for customized settings for certain IP addresses or prioritized tasks. Policies can also be defined according to different time slots to improve network bandwidth management. Auto Routing successfully relieves network administrators of complicated network management rituals, while optimum performance is guaranteed without further change in your existing network environment. Ina addition, expensive connection lines can be replaced by xDSL lines which lowers the total cost of operation, and the savings can be used in other areas of the company for better purposes. V10, 2004/6/14 Page 5 of 20 Bandwidth Management Overview Bandwidth Management is a policy-based and full-featured function for better management of bandwidth in AscenLink®. It not only optimizes the existing bandwidth consumption, but also strategically allocates the bandwidth usage according to priority and demands to avoid unnecessary traffic clogging or bandwidth abuse. Features Bandwidth management can control the inbound and outbound traffic on each link. It can also be defined in conjunction with the information on the 3rd and 4th layers of TCP/IP, i.e., all ports on the source and destination hosts, to enhance the bandwidth allocation and service level. In addition, bandwidth policies can be assigned specifically for different time slots (busy hour and idle hour) and priorities. Example In the illustration above, the company connects to various external networks via AscenLink®. Even if these networks are integrated, bandwidth consumption is not optimized due to lack of policy-based management. Staff as well as mission-critical servers shares the same bandwidth without any differentiation and limitation. Traffic flows pass through without any priority classification. Staff’s less-prioritized flows inadvertently clog the network, which in turns sacrifices the essential V10, 2004/6/14 Page 6 of 20 quality for external services. With Bandwidth Management feature applied to your network, bandwidth optimization can be achieved through policy definitions with respect to source/destination hosts, time slots, service types, and transmission priorities. When the network traffic is high, the more important services can still function normally, and the busy and idle hours offer more flexibility in bandwidth management. Summary Bandwidth Management is your easy way to optimize bandwidth usage, customize your network transmission based on corporate-specific policies, and avoid any inefficient usage of bandwidth resources. Priority-driven policy-setting as well as timing-based configuration allows network administrators to manage the network in a more flexible fashion without compromising any valuable resources. V10, 2004/6/14 Page 7 of 20 Firewall Overview As Internet evolves exponentially, so do cyber threats. Our network environment is constantly exposed to unknown risks. To alleviate the concerns over network vulnerability, AscenLink®’s Firewall function can effectively filter network traffic based on data on the 3rd and 4th layers of TCP/IP, thereby successfully denying or regulating the inflow and outflow of certain packets and ensuring comprehensive network security. With this full-featured function installed, enterprise network is armored with ultimate protection against malicious attacks or unauthorized access. Features AscenLink®’s Firewall function can integrate seamlessly with your existing firewall structures to provide further-intensified protection. Its intuitive design and straightforward interface allows administrators to effortlessly manage the network environment. In addition to blocking unknown flows based on layer 3 and layer 4 data, AscenLink® can also stamp out DoS and provide comprehensive protection to overall network structure. Example In the illustration above, network security can be fortified via policy-based configurations. V10, 2004/6/14 Page 8 of 20 Summary AscenLink®’s Firewall function is your ultimate solution to a safer network environment, giving you robust protection when your network is in absence of firewall or reinforcing the network safety on top of your existing firewall infrastructure. Not only does it filters packets based on data on the 3rd and 4th layers of TCP/IP, its policy-based protection also allows for further screening based on source or destination ports to avoid inbound or outbound DoS. Only AscenLink® can offer well-rounded and flexible network protection in addition to load balancing and bandwidth management. V10, 2004/6/14 Page 9 of 20 Persistent Routing Overview AscenLink®’s Persistent Routing function enables users to fix flows in between a paired source and destination in a certain time interval. The routing rule remains valid until the defined interval elapses. Some servers of e-commerce sites have stringent user authentication process (E.g. SSH) in terms of account ID, password, and source IP etc. Without Persistent Routing function, flow direction is based on Auto-Routing table and packets would be sent to different WAN links carrying different source IPs, which in turn lead to failure in authentication. Persistent Routing is, therefore, indispensable to authentication mechanism. Features Without Persistent Routing function, the “fixed” algorithm in Auto-Routing function can be applied to a certain link to provide similar routing scheme. However, Persistent Routing function adds more flexibility to routing mechanism. When traffic flows from a certain source to a destination for the first time, a link is chosen based on auto-routing table. If the following duplicated flows match the policy definition for Persistent Routing, packets will continuously be sent to the same route until timeout. Duplicated flows after the timeout are treated as new flows and applied with Auto Routing policies. V10, 2004/6/14 Page 10 of 20 Example In the Illustration above, a route can be temporary fixed for certain flows based on policy-setting to bypass the Auto Routing function. Summary Persistent Routing, which temporarily fixes routes for duplicated flows, serves as an add-on feature to Auto Routing’s load–balancing. It is more flexible compared with the “fixed” algorithm available in Auto Routing and is especially useful when applied to flows going to e-commerce websites with secure authentication mechanism. V10, 2004/6/14 Page 11 of 20 Multihoming Overview AscenLink®’s Multihoming function provides non-stop network connectivity to multiple ISPs or network services, such as direct link, ISDN, and xDSL. Since network failure, frequently resulted from ISP downtime or network disconnections, is beyond administrators’ control, more and more enterprises opt for multiple connections (i.e., multi-homed networks) to avoid service disruption. Features Multihoming is usually implemented with BGP (Border Gateway Protocol). However, multihoming with BGP is highly complicated in terms of configuration, which requires comprehensive internal planning and cooperation from ISPs. In addition, router convergence hampers the network performance and network scalability is also a challenge. AscenLink®’s Multihoming function not only eliminates the downtime risk derived from single line connection, but also directs traffic based on bandwidth usage to avoid traffic congestion and boost network performance. Multihoming with load balancing can be easily achieved with AscenLink®’s intuitive and cost-effective design. Example In the illustration below, a company connects to 4 ISPs via AscenLink®. Multihoming function enables inbound load-balancing to avoid overloading on certain links which leads to delays. V10, 2004/6/14 Page 12 of 20 AscenLink® allows for configuration of publicly accessible servers and IP addresses of DNS servers. These servers are then given domain names and assigned weights based on bandwidth usage to evenly distribute traffic. In the event of failure on a WAN link, AscenLink® stops responding to that link to ensure service continuity. Registration of more domain names on TWNIC is highly recommended to avoid service interruption as a result of failure on a certain WAN link. Summary With ever-increasing reliance on network connection for various services, multi-homed networks safeguard enterprises from losses as a result of single connection failure. Multihoming with BGP entails high professionalism and complexity in network planning and configuration. It also has additional drawbacks in terms of scalability and performance. On the other hand, AscenLink®’s intuitive interface allows for easy configurations with only a few mouse clicks on the selection menu. Besides, network performance is significantly enhanced through load-balancing feature to provide network availability around-the-clock. V10, 2004/6/14 Page 13 of 20 Cache Redirect Overview AscenLink®’s Cache Redirect function is used to direct HTTP (Port 80) flows to a cache server, which in turn responds with existing data to effectively streamline the process of duplicated requests. While the flow redirection, commonly known as Transparent Cache, is kept transparent to users as a result of AscenLink®’s filtering, the function successfully expedites response time as well as enhances the bandwidth management by cutting down redundant traffic. Features AscenLink®’s Cache Redirect function passes internal hosts’ duplicated requests to a cache server, which subsequently takes care of these queries on behalf of external web servers. In addition to flow-redirection, Cache Redirect function also serves as a health detector for cache servers to avoid invalid flow redirection to impaired cache servers. Flows can also be redirected with different weights assigned to various cache server groups. In the newly-released AscenOS, redirection is no longer confined to flows going through Port 80. The enhanced function enables network administrators to optimize flows with configuration down to various service ports. V10, 2004/6/14 Page 14 of 20 Example In the illustration above, AscenLink®, as per configurations, can direct traffic going through Port 80 to a cache server for further processing. Summary With the ubiquity of redundant requests in the network environment, cache servers effectively simplify flows by responding requests on behalf of external servers. Cache Redirect function serves to redirect duplicated requests to cache servers so as to free up valuable bandwidth. Additionally, health detection feature addresses the concerns over service downtime resulted from single point of failure in a cache server. Together with heath detection feature, weight allocation, and service port configuration, AscenLink®’s Cache Redirect function is more intelligence-driven than simple flow redirection as frequently seen in other products. V10, 2004/6/14 Page 15 of 20 Backup Line Overview Backup Line serves as a contingency configuration for network in AscenLink®. The designated link stays idle until certain circumstances occur. While Auto Routing enhances availability and load balancing among active links, Backup Line controls link activation or de-activation based on backup algorithm Features Backup Line helps network administrators effectively improve the network availability and load-balancing. In addition to essential backup in network outage, load-balancing can be optimized via algorithm setting. That is, Backup Line can be activated whenever the traffic exceeds a certain level and likewise can be de-activated once the traffic drops below the threshold. It is especially cost-effective when applied to links with high leasing cost or those charged by bandwidth consumption. With Backup Line, network cost can be significantly reduced because such line is only activated when necessary. Example In the illustration above, WAN 2, normally idle, is designated as the Backup Line for WAN 1. When a certain circumstance, such as network outage or traffic overflow, occur in WAN 1, WAN 2 is activated until certain criterion no longer applies, e.g., network recovery or traffic reduction below the threshold. V10, 2004/6/14 Page 16 of 20 Summary Backup Line allows the deployment of links when they are most needed. Backup algorithm can be easily activated and deactivated based on network availability or traffic flow to ensure resource optimization. It is especially economical for connection lines which charge based on the amount of data flow or time, so that the use network resources can be maximized. V10, 2004/6/14 Page 17 of 20 Grouping Overview It has been AscenVision’s mission to provide straightforward and intuitive design and user interfaces to facilitate administrators’ network management. With this in mind, AscenLink® provides object-grouping functions, such as IP Grouping and Service Grouping, to further simplify user interfaces. Grouping function allows users to group distinct objects under one single name, which can be subsequently applied with the same configuration to significantly eliminate redundancy in policy-setting. Features The name of the grouped object, as a result of either IP Grouping or Service Grouping, will appear on the function menu. Users can proceed with further configuration with respect to safety, bandwidth, or router policies for that specific group. Assigning highly repetitive policies to various IPs or Services is proven quite time-consuming and prone to configuration errors for network administrators. With the grouping functions, IPs and Services can be grouped in advance. The grouped name can later be selected from the drop-down menu for further configuration, which significantly simplifies the policy-setting process and avoids errors in redundant configuration. V10, 2004/6/14 Page 18 of 20 Example Take Service Grouping for example. In the illustration above, three distinct services can be grouped under one name before the policy-setting, thereby configuration can be finished once for all, instead of in three times. Summary Network management can be quite mind-boggling when it comes to clunky equipment and complicated commands. However, AscenLink® significantly eases administrators’ network management burden through intelligent and intuitive design, such as IP or Service Grouping functions, which effectively facilitate administrators in redundant policy-setting process. V10, 2004/6/14 Page 19 of 20 Tunnel Routing Overview Tunnel Routing is a good example of AscenLink®’s multihoming feature. It helps to expand the services through multiple ISP connections, while achieving complete load-balancing in the network and ensuring a non-stop connection service. Features Up until recently, services such as VPN, NetMeeting, NFS, and video conference used only single IP to IP connections, which terminated as soon as the WAN link was disconnected. In addition, these services could not be performed on multiple IPs. As a result, AscenLink® created Tunnel Routing to solve the problem and improve these special services. By setting up Tunnel Routing feature on two AscenLink® machines, a VPN tunnel can be automatically created from several WAN links on AscenLink®. This feature can easily be performed by configuring the settings in two AscenLink® machines. After setting up, the multiple WAN links on AscenLink® will automatically form a VPN tunnel. Any service(s) which use this tunnel will be guaranteed a non-stop connection even if a WAN link fails. Example The configuration for Tunnel Routing is very simple. First, assign the tunnel groups and enter the source and destination addresses of the WAN links which will be used. The final part of the configuration requires selecting the routing rules, the WANs and tunnel groups which will take part in the tunnel routing process. In this example, two AscenLink® machines each are connected to two WANs. Tunnel routing is carried out between the machines using two Netscreen 5GT machines. Let’s assume AscenLink® A (IP address 102.168.1.2) is located in Taipei and AscenLink® B (IP address 192.168.2.10) is located in Beijing. The VPN service between the two AscenLink® machines can be guaranteed even if a WAN link fails. Using this mechanism, the information between the two companies can be shared as if each were a workgroup computer in the local network. V10, 2004/6/14 Page 20 of 20 Summary Through Tunnel Routing, you can integrate multiple ISP connections and provide fast and non-stop services such as VPN, video conference, NFS, and database sharing between headquarters and branch offices. Such secure quality services will let you enjoy the convenience of the Internet.