1. Home
    2. /
  2. Manuals
    3. /
  3. Nokia
    4. /
  4. IP45
    5. /
  5. 45
Page 221 / 342 Scroll up to view Page 216 - 220
High-Availability over VPN
Nokia IP45 Security Platform User’s Guide v4.0
221
±
Multiple devices need to share the same static IP address on a WAN interface without
creating an IP address conflict. WAN high-availability avoids an IP address change, and
thereby ensures virtually uninterrupted access from the Internet to internal servers at your
network.
Before configuring high-availability, make sure that you meet the following requirements:
You must have at least two identical IP45 devices with:
±
identical firmware versions and firewall rules
±
same internal networks
±
different real internal IP addresses, but sharing the same virtual IP address
±
the devices' synchronization interface ports connected either directly, or through a switch.
For example, if the DMZ is the synchronization interface, then the DMZ/WAN2 ports on the
devices must be connected to each other.
Note
You can enable the DHCP server in all the IP45 devices. The DHCP server of a passive
gateway starts answering the DHCP requests only if the active gateway fails.
Advanced High-Availability
The following sections describe the advanced high-availability feature.
Route-Based VPN and BGP
The Nokia IP45 security platform has built-in features to automatically detect the failure of an
IPSec VPN connection from a remote office or branch office to the headquarters. On failure, it
forwards the traffic by using an alternative link (dial backup or VPN) through another ISP.
The IP45 security platform uses Border Gateway Protocol (BGP) to detect IPSec VPN
connection failures, and to activate alternative links. The IP45 monitors each IPSec VPN tunnel
in association with a BGP neighbor at the headquarters.
Page 222 / 342
11
High-Availability
222
Nokia IP45 Security Platform User’s Guide v4.0
Figure 7
Dynamic VPN
To detect IPSec VPN connection failure, the Nokia IP45 security platform monitors the
reachability of the remote BGP peers associated with the VPN tunnel. On failure, the passive
link is activated to establish an alternative IPSec VPN connection to reach the associated BGP
remote peer.
The Nokia IP45 continues to monitor the remote BGP peer reach ability on the preferred
(primary) connection to the headquarters. Nokia IP45 falls back to preferred VPN connection as
soon as the associated BGP remote peer becomes accessible.
A pair of loopback addresses (active and passive) are defined on the Nokia IP45 security
platform with restricted BGP route advertisement of LAN and static NAT addresses. This
scenario is supported with Check Point SmartLSM. The VPN policy installed on the Nokia IP45
includes the topology of immediate protected network behind the central office gateway only.
This enables the traffic between these two networks tunneled, including the communication
between BGP peers. The central office BGP peer advertises the CO networks to the IP45 and
BGP. The traffic originating from the IP45 LAN destined to the central office network is
tunneled and sent.
Border Gateway Protocol
The Nokia IP45 security platform participates in Autonomous System (AS), and can establish a
neighbor relationship, and exchange routes with other non-adjacent routers.
An AS is a network or group of networks under common administration and with common
routing policies.
The Nokia IP45 supports a limited set of BGP-4 features for route-based VPN and failover.
Page 223 / 342
High-Availability over VPN
Nokia IP45 Security Platform User’s Guide v4.0
223
Note
You can configure BGP by using the Nokia IP45 CLI only. This feature is not supported in
the IP45 GUI. Use the command-line options from a command shell (such as Hyper
terminal) to configure these options. A brief list of important commands are included in this
guide to provide an introduction. For more information about these commands, see the
Nokia IP45 Security Platform CLI Reference Guide Version 4.0.
Configuring the BGP
The following sections provide the list of commands, which should be used to configure BGP.
Enabling BGP Routing
Use the following command to enable the BGP routing protocol:
set bgp daemon <restart | enable | disable>
Configuring the Local AS and Router-ID
Use the following command to configure the local AS:
set bgp as <value>
router-id <value ipaddress>
Configuring for BGP Route Advertisement
The network and redistribute commands are used to inject routes into the BGP table. The
network-mask portion of the IP address allows supernetting and subnetting.
Use the following commands to configure route advertisements:
add bgp
network <value ipaddress | netmask-length>
redistribute <connected | kernel | static>
Use the following commands to delete BGP route advertisement:
delete bgp
network <value ipaddress | netmake-length >
redistribute < connected | kernel | static >
Monitoring BGP
Use the following show commands to monitor BGP activity:
show bgp config all
show bgp summary
show bgp config running
Page 224 / 342
11
High-Availability
224
Nokia IP45 Security Platform User’s Guide v4.0
Viewing Debugging Information
Use the following debug commands to display information on BGP logs for inbound or
outbound events, or both:
set bgp debug
event <on | off >
keepalive <on | off >
update <on | off >
fsm <on | off >
Adding a BGP Peer to the Nokia IP45 Security Platform
The Nokia IP45 security platform v4.0 supports both internal and external BGP neighbors.
Internal neighbors are in the same autonomous system; external neighbors are in different
autonomous systems. Normally, external neighbors are adjacent to each other and share a subnet,
while internal neighbors can be anywhere in the same autonomous system.
Use the following command to add BGP neighbors:
add bgp neighbor <value ip_address> remote-as <value>
Use the following command to delete a BGP neighbor:
delete bgp neighbor <value ip_address>
Clearing BGP
Clearing a BGP neighbor session resets BGP connections to enable inbound and outbound
policy changes. Use the following commands to clear a BGP neighbor session:
clear bgp <neighbor <value ip_address> | neighbors>
Creating Prefix Lists on the Nokia IP45 Security Platform
Prefix lists are used to filter the updates
to
and
from
a peer on the basis of network prefixes, and
masks. A prefix list is associated with a sequence number and prefix length range for a specified
prefix and mask. The sequence number determines the order of the lookup and permits heavily
used prefixes. Prefix lists filtering is easier to use and is more efficient than access lists.
Use the following commands to add prefix lists:
add bgp prefix-list <list-name>
seq-no <value> action <permit | deny>
any prefix <value>
Use the following commands to delete prefix lists:
delete bgp prefix-list <all-unused |name <value> [seq-no <value>] >
Creating Access- Lists on the Nokia IP45 Security Platform
Access lists are filters that enable you to restrict the routing information a router advertises to a
neighbor. BGP uses address-based access lists.
Page 225 / 342
High-Availability over VPN
Nokia IP45 Security Platform User’s Guide v4.0
225
Use the following commands to configure access lists:
add bgp access-list <list-name>
action < permit | deny >
any prefix <value>
Use the following commands to delete access lists:
delete bgp access-list all-unused | name <value>
Creating Route Maps on the Nokia IP45 Security Platform
Route maps are used to control distribution of routing updates. Route maps consist of a list of
match
and
set
commands. The
match
commands specify match criteria and the
set
commands
specify the action to be taken if match criteria are met. Only those routes that pass through the
route-map (inbound route maps) are accepted or forwarded (outbound routes).
Use the following commands to add route-maps:.
add bgp route-map name <map-name>
action <permit | deny> seq-no <value>
match <ip-address <value> | ip-next-hop <value> |
metric <value> |>
set ip-next-hop <value ip_address>
local-preference <value>
weight <value>
metric <value>
as-path-prepend <value>
Use the following commands to delete route-maps:
delete bgp route-map <all-unused | name <value> [seq-no <value>]>
Configuring Routing Policies on the Nokia IP45 Security Platform
Routing policies for a remote peer include all of the configurations such as route-map, distribute
list, prefix-list, and filter-list that might affect inbound or outbound routing table updates.

Rate

3.5 / 5 based on 2 votes.

Popular Nokia Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top