Page 226 / 342 Scroll up to view Page 221 - 225
11
High-Availability
226
Nokia IP45 Security Platform User’s Guide v4.0
Use the following commands to configure the routing policies for the created BGP Peer:
set bgp neighbor <value ip_address>
dont-capability negotiate <on | off>
ebgp-multihop <on | off>
keepalive <value> holdtime <value>
maximum-prefix <value <value> [warning-only <on | off>|] off>
next-hop-self <on | off>
no-shutdown
passive <on | off >
peer-group < value <value> | off >
port < value <value> | off>
prefix-list <value> direction <in |out | both> state <on | off>
route-map <value> direction <in |out | both> state <on | off>
route-reflector-client <on | off>
update-source <value> state <on | off>
weight <value <value>| off>
shutdown
distribute-list <value> direction <in |out | both> state <on |
off>
Configuring a Remote BGP Peer with MD5 Authentication
You can invoke MD5 authentication with a remote BGP peer such that each segment sent on the
TCP connection between the peers is verified. This feature must be configured with the same
password on both BGP peers or the connection between them is not established. The
authentication feature uses the MD5 algorithm. Invocation of this feature enables Nokia IP45 to
generate and check the MD5 digest of every segment sent on the TCP connection. If
authentication is invoked and a segment fails authentication, a message appears on the console.
Note
MD5 authentication with remote BGP peer is implemented external to the BGP routing
process on Nokia IP45. This authentication mechanism has stronger coupling with VPN
modules. Therefore, this feature is not supported for clear text BGP updates.
Use the following commands to configure BGP remote peers:
add bgp remote-peer <value ip_address>
vpn-peer <value ip_address>
priority <normal | high>
[gateway <value>
password <value>]
Configuring a Local Loopback Interface
Loopback interfaces enable your BGP connection to stay connected to the interface used to
reach the neighbor. Configure this loopback interface IP address as the source address for the
BGP process to communicate with a remote BGP peer.
Page 227 / 342
High-Availability over VPN
Nokia IP45 Security Platform User’s Guide v4.0
227
Use the following commands to configure loopback interface:
set interface loopback id <value> address <value> mask-length <value>
Use the following commands to view a loopback interface:
show interface loopback <all | id <value>>
Use the following commands to delete a loopback interface:
delete interface loopback id <value>
Configuring Criteria for Path Selection
A VPN tunnel established with the given VPN peer is assumed to be disconnected or unavailable
if the corresponding BGP peer is unreachable.
HA enforces the primary Internet connection as the path for each high priority BGP peer and its
associated VPN peer by inserting static routes towards primary Internet connection. This ensures
continuous status monitoring of high priority BGP peers.
Use the following command to configure a remote-peer:
add bgp remote-peer <value ip_address>
vpn-peer <value ip_address>
priority <normal | high>
[gateway <value>
password <value>]
Use the following command to delete a remote peer:
delete bgp remote-peer <value-ip_address>
High-Availability Options
The following are the high-availability options available with the Nokia IP45 device.
±
Generic
—device monitors WAN link and decides on failover and fallback, based on the
synchronization interface and interface tracking feature.
This is used in dual device HA, and is independent of BGP. For more information, see
“Generic High-Availability”
on page 219.
±
The following are the options available for advanced high-availability solution.
±
dialup
—used in
Single Device HA
. This mode is useful if device has dial-up as primary
Internet connection with multiple dial-up profiles. In this mode, device uses dial-up
profiles for fail over. If the BGP peer becomes unreachable using one profile, the device
automatically switches to the next dial-up profile. This process continues in round-robin
fashion until the BGP peer becomes reachable.
±
secondary
—used in
Single Device HA
. This mode is useful if the device has LAN/
PPPOE/PPTP/DHCP/ as primary Internet connection and
dial-up
as secondary Internet
connection (optionally with multiple profiles). In this mode, device fails over to
Page 228 / 342
11
High-Availability
228
Nokia IP45 Security Platform User’s Guide v4.0
secondary Internet connection (dial-up) if all high priority BGP peers become
unreachable. It continues to monitor the status of high priority BGP peers and falls back
to primary Internet connection if any one high priority BGP peer becomes reachable. It
drops the dial-up connection when device falls back to primary Internet connection.
±
BGP
—this mode is useful if device has LAN/PPPOE/PPTP/DHCP as primary Internet
connection and has no dial-up connection. Primary device of the dual device HA
scenario is configured to operate in this mode. In this scenario, you have another device
acting as
backup
. The backup device can have either dial-up or LAN/PPPOE/PPTP/
DHCP for Internet connection. primary and backup devices establish internal BGP
(IBGP) session with each other. The fail-over automatically takes place in the primary
device based on the availability of CO routes. (external or internal BGP (EBGP or
IBGP)).
±
BGP-external
—this mode is useful if the device has LAN/PPPOE/PPTO/DHCP as
primary Internet connection and DMZ as secondary Internet connection. In this mode,
DMZ is assumed to be secure and the traffic passing through DMZ will not be encrypted.
So, DMZ can be connected to an external VPN device or a router connected to frame
relay network. In this mode, the IP45 uses DMZ as backup to the primary Internet
connection. The traffic is tunneled as long as BGP peer is reachable over VPN through
primary Internet connection. As soon as the BGP peer becomes unreachable, the traffic
goes in plain text through DMZ interface. Similar to the other modes, device continues to
monitor the status of high priority BGP peers and falls back to primary Internet
connection if at least one high priority BGP peer becomes reachable.
HA triggers VPN tunnels associated with normal priority BGP peers if it finds all of the
high priority BGP peers, unreachable. HA continues to monitor the status of high priority
peers and drops the tunnels associated with lower priority BGP peers as soon as at least
one of the high-priority BGP peers becomes reachable.
±
none
—no high availability.
High-Availability Solutions
Nokia IP45 v4.0 supports the following high-availability solutions using single and dual IP45
devices.
Page 229 / 342
High-Availability over VPN
Nokia IP45 Security Platform User’s Guide v4.0
229
High-Availability Solutions with a Single Nokia IP45 Device
Figure 8
Single Device HA
In this scenario, the branch office is always securely connected to the central office on the
Internet with a single Nokia IP45 device by using DSL or cable connection or dial-up as backup.
The Nokia IP45 (R1) connects to the RO1 and establishes VPN connection on DSL (preferred
connection). The Nokia IP45 (R1) and BGP peer (R3) located in RO1 establishes a BGP
connection over VPN. If this BGP session fails because of any service interruption, dial-up is
activated. The Nokia IP45 (R1) connects to RO2 and establishes a VPN connection. R1, and the
BGP peer (R4) located in RO2 establish a BGP connection over VPN, and the traffic from the
branch office flows through this alternative path. As soon as the IP45 (R1) detects the
established BGP session on the DSL connection, the dial-up connection to RO2 is discontinued.
High-Availability Solutions with Dual Nokia IP45 Devices
High-availability solution by using Nokia IP45 can be achieved by the following two methods:
±
Generic HA
±
HA coupled with BGP (advanced HA solution)
Page 230 / 342
11
High-Availability
230
Nokia IP45 Security Platform User’s Guide v4.0
Generic HA
Figure 9
Generic HA Solution - Dual Nokia IP45 devices
This scenario supplements the single device HA solution to cater to device failures coupled
with WAN link failures. In the illustration shown below, IP45 devices in an HA cluster are
configured with same WAN IP address. WAN high-availability is enabled in the backup
device, which means that backup device establishes connection to Internet only when WAN
link for the master device fails. When an IP45 device (R1) fails to connect to the Internet, R2
takes over as master and starts forwarding internal traffic to central office through the VPN
tunnel. As soon as R1 becomes active again, the WAN connectivity through R2 is
discontinued and R1 becomes the master.

Rate

3.5 / 5 based on 2 votes.

Popular Nokia Models

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top