Draytek Vigor 2952 Dual-WAN Firewall SSL VPN Gigabit Router DV2952

Vigor2952 Dual-WAN security firewall router is an enterprise level router designed for medium sized businesses that need strong business network features, including support of up to 100 VPN tunnels.

The Vigor2952 router is fitted with 2 x Gigabit Ethernet WAN interfaces, with WAN 1 selectable as a SFP port for optic fibre module installation. The USB port 2 (USB2) for 3G/4G mobile dongles. You can connect to the Internet through any of these interfaces, or with a combination of interfaces for Load Balance and/or Failover functions.

For mission critical applications the Vigor2952 router can be used in High Availability mode, and be used in parallel with another router to provide uninterrupted network connectivity should one of the routers fails.

Vigor2952 supports business grade network features including an object-oriented SPI (Stateful Packet Inspection) firewall, IPv6, 100 VPN tunnels, 50 SSL VPN tunnels, tag-based VLAN, multiple subnets, etc.

The centralised network management features, including Central VPN Management, Central Switch Management and Central AP Management, help the network administrators to simplify network configuration tasks through a convenient console.

The Vigor2952 series router can be rack mounted, using the supplied mounting brackets, into a standard 19” rack or cabinet.

1. WAN Connectivity

The Vigor2952 router supports 2 types of WAN Interfaces: 2 x Gigabit Ethernet WAN interfaces and the USB port 2 (USB2) for 3G/4G mobile dongles. You can set WAN 1 to be a Gigabit Ethernet port, or a SFP port to accommodate an optic fibre module for fibre installations.

With between 2 to 4 WAN interfaces connected, you can configure for Load Balancing or Failover. For example, you can use WAN 1 as your primary Internet connection and have a failover connection over a 4G LTE connection.

2. LAN and VLAN

The Vigor2952 has 4 x Gigabit LAN ports and supports up to 60,000 NAT sessions.

The Vigor2952 supports both port-based and 802.1q tagged VLANs. Port based VLANs allow the assignment of a VLAN and IP subnet to each router LAN port. On the other hand, 802.1q tagged VLANs can extend up to 8 VLANs and 8 IP subnets to an attached switch port.

3. Quality of Service (QoS)

QoS functions allow the network administrators to set priorities for certain types of traffic to guarantee the required level of performance for data flow. For example real-time traffic such as VoIP or Video Conferencing can be prioritised as these have less tolerance over delays caused by network congestion.

A traffic type can be assigned to each of the three QoS classes and have bandwidth pre-allocated and reserved.

4. Firewall

The Vigor2952 has powerful firewall features including: object-oriented SPI (Stateful Packet Inspection) firewall, DoS (Denial of Services), CSM (Content Security Management), and WCF (Web Content Filter).

SPI Firewall monitors incoming and outgoing packets at Layer 3 (OSI model) and passes or blocks the data packets based on the configuration.

The DoS feature protects the network for malicious access requests from DoS attacks.

CSM enables network administrators to control and manage IM (Instant Messenger) and P2P (Peer-to-Peer) applications. For instance, you can stop network users from accessing inappropriate contents, or ensure that network traffic is not affected by undesirable or unauthorized P2P downloads.

WCF classifies all websites on the Internet into 64 categories, and allows network administrators to select categories to protect the users from undesirable website content. DrayTek uses the CYREN WCF database for its Vigor routers, and each router includes a free 30 day trial license.

The object-based firewall provides flexibility by using Objects in the firewall settings. Objects can be created and placed in groups by IP, service type, keyword, file extension, etc. This allows a filter rule to be applied to many IP addresses, reducing number of firewall filters required. In addition, these objects and groups can be reused for other firewall settings resulting in reduced amount of work required to create multiple firewall rules.

Firewall rules can be applied according to a Time Schedule to control access to the Internet or network services according to predetermined time slots. Up to 4 time schedules can be applied to each firewall filter rule. For example social media can be restricted during work hours and be allowed during off work hours in a company.

5. VPN & SSL-VPN

Vigor2952 supports up to 100 simultaneous VPN tunnels of common protocols such as IPSec/PPTP/L2TP, and 50 tunnels of SSL VPN protocol. The dedicated VPN co-processor supports the hardware encryption of AES/DES/3DES, hardware key hash of SHA-1/MD5, and LDAP authentication, and ensures that VPN traffic is secure and performance is maximised.

The SSL technology allows secure Web encryption such as those used for on-line banking. With Vigor2952, you can create SSL VPN in Full Tunnel mode or Proxy mode.

Furthermore, since the Vigor2952 supports multiple Ethernet and 3G/4G WANs, you can create VPN Trunking for VPN Load Balance and VPN Backup. For instance, you can use a number of connections to a site to increase the bandwidth, or have a backup connection when the primary connection fails.

6. Central VPN Management

Instead of normal method for VPN connection through web browsers, Vigor2952 supports Central VPN Management (CVM) through TR-069 protocol. From a CVM page, you can create VPN tunnels with just a few mouse clicks on the icons representing your local network (e.g. a public place such as a café) and remote locations (e.g. branch or home office), and the router will establish the connection automatically. This takes away the tedious process required for VPN tunnel creation.

As well as simplifying creation of VPN tunnels, CVM provides a console to monitor multiple CPE devices and VPN tunnels. This includes displaying the CPE devices on a Google Map.

Other features include scheduling of CPE configuration backup/restore tasks as well as scheduled firmware upgrade of the CPE devices. Up to 8 DrayTek CPE devices are supported.

7. Central AP Management

Vigor2952 supports Central AP Management (APM) with a console to auto-configure and manage up to 20 directly connected (via LAN cables) Draytek wireless Access Points, including VigorAP 800, VigorAP 810, VigorAP 900, VigorAP 910C & VigorAP 902.

The APM Dashboard displays the status, such as traffic and number of attached stations, of all the attached Access Points.

With Auto Provisioning enabled on the attached Access Points, WLAN profiles can be created and applied to the selected Access Points from the central console.

The AP Maintenance feature allows a number of actions, including Configuration Backup and Restore, Firmware Upgrade, Remote Reboot and Factory Reset, to be programmed for selected Access Points.

The connected Access Points can also be displayed on a map or floor plan showing their locations and basic descriptions. Other features include Traffic Graph, Rogue AP detection, Event Log, Total Traffic, Station number and Access Point Load Balancing.

8. Central Switch Management (New Firmware will be released soon)

Central Switch Management provides a convenient and easy way to manage and configure supported VigorSwitches, and save time and reduces troubleshooting efforts.

From a console page on Vigor2952, you can assign VLANs to the switch ports and at the same time update the router configuration, with a few mouse clicks within the graphical user interface. Similarly you can create 802.1q trunk ports in the same way.

The switch status page shows the status of all the attached switches, including switch name, IP address, the model number and system up time. You can see how many ports and are in use in each switch as well as port status and how many clients are connected.

You can backup or restore switch configurations, or reboot, or reset to factory default settings, any of the switches.

9. Remote Access Management

The Vigor2952 supports a number of management options to control access to the router both locally and remotely.

The TR-069 feature integrates with the VigorACS-SI centralised management system, and allow system integrators or network administrators to configure, monitor and manage the Vigor2952 remotely from the comfort of their offices or homes. It can also be used to Auto-Provision the Vigor2952 remotely by sending configuration data to the router.

There are 3 wizards: a Configuration Wizard, a VPN Wizard and a Firmware Upgrade Wizard. These allow network administrators to quickly and easily carry out complex tasks.

Alarm & Log Management features ensure real time notifications and alerts to specified phone numbers or email accounts in relation to faults or status of the connected CPEs.

A number of diagnostic functions, including Data Flow Monitor, Traffic Graph and Syslog Explorer, allow the network administrator to monitor and troubleshoot network conditions remotely.

Like all Vigor routers, Vigor2952 supports management options include HTTP, HTTPS, FTP, SSH, Telnet and SNMP.

10. High Availability Mode

High Availability is essential in mission critical applications where the network as well as Internet connectivity needs to be available 100% of the time. Should a hardware failure occur in a primary router, a standby router will immediately come on line to provide uninterrupted network connectivity.

High Availability mode in the Vigor2952 router provides hardware redundancy by the use of one or more Vigor2952 routers to be configured for Hot-Standby or Active-Standby.

Key features of High Availability mode are:

• WCF License share (Hot-Standby only)
  Network administrators can create a High Availability group on MyVigor website and include at most 8 routers to join the group and share the same WCF license. Only 1 router (the primary) can use the license at a time, and when the primary router goes down, the secondary router will come up and register to MyVigor server and continuous to provide firewall protection to LAN clients. It means only one WCF license is required per High Availability group.
• Configuration Sync (Hot-Standby only)
  Every configuration/modification made on the primary router will be synchronized to the other group member(s) ensuring that network functionality is identical should the primary router fails.
• DDNS Update
  For dynamic WAN IP users, High Availability group members can share the same DDNS account, that when the secondary router become primary, it will update the DDNS profile so the network can continue to be accessible via the same DDNS domain.