1 - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

1

Description:

Application: No billing change for user, user just need to agree ... Can not access Hotmail and Yahoo Mail. 8. UI /New item. Scenario B's login page modify ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 31
Provided by: KenW151
Category:
Tags: yahoomail

less

Transcript and Presenter's Notes

Title: 1


1
(No Transcript)
2
NAT Pool for VPN Packet 1. Introduction Some VPN
servers have limitation on client access in that
the VPN server can accept only one client with
the same source IP address. Meaning if these two
client PCs are behind a NAT router and access the
same VPN server at the same time, one of the
client may not succeed. The NAT Pool for VPN
packet function is implemented to overcome this
problem. When NAT Pool for VPN packet is
enabled, the source IP of the PPTP and IPSec
packets from client PCs will be translate to more
than one global IP and forward to the VPN server.
2. Specification a. On the NAT function, if the
device receives the VPN packets from LAN, it will
replace the original source IP address with
another global IP address. b. When the device
receives the VPN packets from WAN, it will check
the mapping table to restore the original IP
address. If it cant find this on the table, this
packet will be dropped. c. Because this function
will cause the performance to be lower, the
administrator can enable or disable this
function. The default is disabled. d. The
administrator need to enter the global IP pool,
those IP addresses will be used on NAT
automatically. The maximum number is 50. e. This
strategy supports only packets belonging to IPSEC
and PPTP. f. If the global addresses are
exhausted, the device will drop the packets
automatically and cant give any information to
this user. g. If the destination IP addresses of
some VPN packets are different, the device use
the same global IP addresses on these packets
whether the source IP address are different or
not. Because the device can distinguish each
session by the destination IP address and VPN
server can accept this situation h. If the
destination IP addresses of some VPN packets are
same and the source IP addresses are different,
the device only use different global IP addresses
to replace the original source IP addresses. i.
The user can only connect to one server with one
session. j. On the status page, info is provide
on the mapping table about VPN packets. The
administrator analysis the information if a guest
cant connect to VPN server. k. The device uses
the N-1 mapping policy to process the packets as
normal except VPN (IPSEC PPTP) packets. l.
About IPSEC, the device only support the tunnel
mode and does not include the AH protocol.
3
NAT Pool for VPN Packet
1. Different client PCs establish VPN connect to
same VPN server at the same time
VPN Server (PPTP or IPSec) IP 211.21.1.1
Internet
WAN IP 172.21.1.1 NAT Pool 172.21.1.2172.21.1.12
IPNPSG-II
Source IP Translated IP 192.168.1.1?
172.21.1.1 10.59.1.1? 172.21.1.2
NAT Pool Table
VPN Client
VPN Client
Original VPN Packet
Original VPN Packet
4
NAT Pool for VPN Packet
2. Different client PCs establish VPN connect to
different VPN servers at the same time
VPN Server (PPTP or IPSec) IP 211.21.1.1
Internet
VPN Server (PPTP or IPSec) IP 168.35.1.1
IPNPSG-II
WAN IP 172.21.1.1 NAT Pool 172.21.1.2172.21.1.12
NAT Pool Table
Source IP Translated IP 192.168.1.1?172.21.
1.1 10.59.1.1? 172.21.1.1
VPN Client
VPN Client
Original VPN Packet
Original VPN Packet
5
3. Three different client PCs establish VPN
connection. Two client PCs access same VPN server
and one client PC access to another VPN server at
the same time
NAT Pool for VPN Packet
VPN Server (PPTP or IPSec) IP 211.21.1.1
Internet
VPN Server (PPTP or IPSec) IP 168.35.1.1
WAN IP 172.21.1.1 NAT Pool 172.21.1.2172.21.1.12
NAT Pool Table
IPNPSG-II
Source IP Translated IP 192.168.1.1?172.21.
1.1 10.59.1.1? 172.21.1.2 192.168.1.8?172.21.1
.1
VPN Client
VPN Client
Original VPN Packet
Original VPN Packet
Original VPN Packet
6
NAT Pool for VPN Packet
Add in Advance Setup/System, between NAT and
Layer 2 isolation
7
NAT Pool for VPN Packet
New page
Add NAT Pool Table item between Session list
and LAN device
8
NAT Pool for VPN Packet
Add NAT Pool exhausted log in syslog
NAT Pool exhausted (IP/ Port) A log would be sent
when IP mapping for NAT Pool VPN connection is
exhausted or NAT Port mapping is exhausted
Format (Id, Mac Address)(NAT Pool exhausted,
type) Type IP / Port
9
Vendor Specific attribute Vendor code
customizable (116777215)
Attribute Vendor assign attribute
number Attribute Format Traffic-Limit 1 Int
eger (max.4095) SMTP Redirect 2 Integer
(0,1) BW-Up 3 Integer (6424576) BW-Down 4
Integer (6424576) Portable Page URL 5 String
(Max.200) Traffic-Limit Control users access
based on the data volume (UnitMbyte), include
upload and download data. SMTP Redirect 0 Do
not support SMTP Redirect 1 Support SMTP
Redirect BW-Up Control users upload
bandwidth.(Kbps) BW-Up Control users download
bandwidth. (Kbps) Portable Page URL
(max.200) Specific advertisement URL for each
client.
10
  • Traffic Limit attribute
  • Only support in Radius ? Accumulation mode
  • If Radius Time to finish mode, but VSA reply
    from Radius still bring Traffic limit attribute
    ?Error message (VSA error!-Traffic limit-Time to
    finish is selected)
  • If Radius Accumulation mode, but VSA reply from
    Radius bring Traffic limit attribute and bring
    session Timeout attribute ,then DUT will use
    Traffic limit attribute to limit user with
    traffic base.
  • If Traffic Limit value is over 4095, the system
    will send error message. Error message --(VSA
    error!-Traffic limit-Over value)
  • On Current user list page, If the use is traffic
    limit user, it will show "N/A" on the field of
    "Expiration".
  • Note When user press logout button, DUT will
    send attribute Traffic Limit to Radius Server.
  • SMTP Redirect attribute
  • If DUT do not have SMTP Server setup , but VSA
    reply from Radius bring SMTP Redirect 1?Error
    message (VSA error!-SMTP Redirect-no SMTP server
    setup )

11
BW - Up / BW-Down attribute Only support when
Bandwidth Management Enable and Class of
service is selected
  • If DUTs Bandwidth Managementdisable , but VSA
    reply from Radius still bring BW-Up and BW-Down
    attribute ?Error message (VSA error!-BW-up/down-B
    andwidth Managementdisable)
  • If DUTs Bandwidth Management Enable, Equal
    bandwidth for all subscriber is selected, but
    VSA reply from Radius still bring BW-Up and
    BW-Down attribute ?Error message (VSA
    error!-BW-up/down- Equal bandwidth for all
    subscriber is selected)
  • If DUTs Bandwidth Management Enable, Class
    of service is selected but VSA reply from
    Radius do not bring BW-Up and BW-Down
    attribute, ?Error message (VSA
    error!-BW-up/down- Class of service is selected
    but no BW-up/down)
  • If VSA reply from Radius only have BW-up.?Error
    message (VSA error!-BW-up/down-no BW-down)
  • If VSA reply from Radius only have BW-down?Error
    message (VSA error!-BW-up/down-no BW-up)
  • 6. If the value of bandwidth up/down is out of
    range, the system will send error message. 
  •          BW -up (VSA error!-BW-up/down-BW-up out
    of range)
  •          BW -down (VSA error!-BW-up/down-BW-down
    out of range)

12
Example of VSA error message
(VSA error!-SMTP Redirect-no SMTP server setup )
13
Vendor Specific attribute
Note Even Send VSA attribute together with
Authentication-Request is uncheck, if Radius
reply have VSA, DUT have to handle VSA
14
Vendor Specific attribute Traffic Limit
1. When Traffic-Limit attribute include in
Authentication Reply from Radius Server, the
information Window will appear Mbyte.
15
Credit Card Authorize.net/ i Validate
Only for Scenario C
16
Credit Card Authorize.net / i Validate
Add Credit Card item.
17
New Page
18
(No Transcript)
19
Session Trace
Add Session Trace item, between logs and SNMP
20
(No Transcript)
21
Add new field
The value only will show when using VLAN Tag
support device
22
Session Trace Session log file example 1. File
Name included SystemName and Date/Time.(DDMMYYHHMM
SS) For example hotspotA070404153212.txt 2.
File format is txt 3. Content system name,
username, date/time, VLAN ID, source IP/MAC/Port,
Destination IP/Port. Txt file example
4. Every session log will save in a temporary
RAM, once the collected 50 logs or the interval
time specified in web page reach, system will
send the log file which included collected log to
specified TFTP server. Then the previous save log
will be cleared. 5. In case Authentication
Disable, Username information will be blanked.
6. In case with using VLAN Tag supported device,
VLAN ID field will have value, otherwise the
value is blanked.
23
Scenario Bs Login page
Change
24
Send log via e-mail
Default
25
New check box (E-mail), Default uncheck
26
User Agreement Redirect page or local standard
page
Default
27
Customize User Agreement Page
Default User Agreement Page
Preview Page
28
Customize User Agreement Page
Default User Agreement Page
Default
Default Blank
Default
Preview Page
29
Preview Page
30
Allow service provider to decide allow subscriber
to close Information Window or not Default
uncheck
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "1" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!