ccnsp v3.0el module 10
DESCRIPTION
Module 10 CCNSPTRANSCRIPT
-
TABLE OF CONTENTS
Introduction ........................................................................................................................................................... 1
Need of High Network Uptime ............................................................................................................................... 1
Hardware Level ...................................................................................................................................................... 1 Appliance Clustering .................................................................................................................................................. 1 Redundant Power Supply .......................................................................................................................................... 1 LAN Failover ............................................................................................................................................................... 2
Application Level ................................................................................................................................................... 3
Network Level........................................................................................................................................................ 3 Multilink Manager ..................................................................................................................................................... 3
3G/4G link configuration on Cyberoam ................................................................................................................. 4 Active-Active load balancing and gateway failover ................................................................................................... 4
Failover rules ......................................................................................................................................................... 5 Configure both the gateways as active .................................................................................................................. 5
Gateway Load Balancing ............................................................................................................................................ 6 Active-Passive gateway failover through Firewall rule .............................................................................................. 9
Troubleshooting Gateway Failover Conditions ...................................................................................................... 9
VPN Failover ........................................................................................................................................................ 11
Summary ............................................................................................................................................................. 13
-
Network High Availability Cyberoam Certified Network & Security Professional
1
Introduction
Computer networks and its devices are always required not only to give maximum throughput, but also to be always available. The state of a hardware and software to be available at any instance of time, is also termed as High Availability. There are several ways to achieve network high-availability, especially as business critical, and revenue generating traffic is being processed. It is always a must to implement the network in such a way so that the network uptimes are Maximum. We shall be seeing more on achieving high network uptimes in this module.
Need of High Network Uptime
As quoted by Wikipedia High availability is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period.
Users want their networks to be ready to serve them at all times. Availability refers to the ability of the user community to access the system. If a user cannot access the system, it is said to be unavailable. Generally, the term downtime is used to refer to periods when a system is unavailable.
Hardware Level
To get high uptime, or in other words, zero downtime, Hardware Level is the first case to be considered. In this type of high-availability, firstly the hardware is engineered to such an extent that it can give the minimum or zero downtime. In Cyberoam this approach is done by three most highly engineered methods.
Appliance Clustering
Redundant Power Supply
LAN Failsafe
Appliance Clustering
Appliance clustering approach by Cyberoam has CyberoamOS cluster which consists of two identical Cyberoam Layer 8 firewalls with same CyberoamOS version. CyberoamOS offloads the burden from network administrator to configure policies to both appliances. There are two approaches to this type of deployment
Active Active
Active Passive
In an Active Active deployment, CyberoamOS on both the appliances is active. Both appliances work together sharing the network traffic (depends on the policies) and hence multiplying the throughput.
In an Active Passive deployment, one Cyberoam appliance is Active, while the other goes as a backup. When the first one goes down, second one is triggered by CyberoamOS and starts functioning identical to the first one.
Note: CyberoamOS calls the active and passive appliances as primary and auxiliary respectively.
Cyberoam Supports HA in all the deployment modes i.e Bridge, Gateway, and Mixed.
Redundant Power Supply
Cyberoam appliances can not only be redundant with CyberoamOS but also with the power supply. Cyberoam Layer 8 firewall appliances come with a redundant power supply using hot-swap, which means both power supplies are on at all the times. However, if one goes down, it does not affect the Cyberoam Appliance or CyberoamOS, giving zero downtime.
-
Cyberoam Certified Network & Security Professional Network High Availability
2
LAN Failover
Cyberoam Research puts extreme effort to bring the best in breed Cyberoam appliances. Upon failure of an appliance, or CyberoamOS, Cyberoams LAN Failover takes over the control ensuring zero downtime. LAN Failover is available only in bridge mode. During the failover mode (also known as Hardware Bypass), CyberoamOS identity based policies and firewall rules are non functional. LAN Failover is a disaster recovery situation, upon encountering LAN Failover; a customer should immediately contact Cyberoam support.
LAN Failover is performed on a pair of ports and varies from appliance to appliance. The list below shows the port sequence and its LAN Failsafe port pair
Model number Port Pair
50iNG A & B, C & D
100iNG A & B, C & D
200iNG E & F, G & H
200iNG-XP A & B, C & D
300iNG E & F, G & H
300iNG-XP A & B, C & D
2500iNG M & N, O & P
Note: Models below 50iNG do not support LAN Failover.
LAN Failover can occur upon failure of appliance, power supply outage to the appliance, fires, or any other natural calamity, which can stop appliance functioning.
-
Network High Availability Cyberoam Certified Network & Security Professional
3
Application Level
For organizations it is important that business critical and revenue generating traffic gets a proper treatment. For this CyberoamOS provides application level high-availability. When Cyberoam Layer 8 firewall is deployed in Active Active mode, CyberoamOS can be configured to load balance the traffic through chosen Cyberoam Appliance. In this way, the productivity of business critical applications and revenue generating traffic like SAP, ERP, etc. can be increased. To summarize, Cyberoam not only provides hardware based high-availability, but also with the business applications so as to give zero downtime to all network applications.
Network Level
CyberoamOS not only works in case of a single WAN link, but also when there are multiple WAN links. CyberoamOSs multilink manager.
Multilink Manager
Load balancing is determined by the load metric/weight. Each link is assigned a relative weight and Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.
Administrators can set weight and define how the traffic should be directed to providers to best utilize their bandwidth investments. Weight can be selected based on:
Link capacity (for links with different bandwidth)
Link/Bandwidth cost (for links with varying cost)
By Default all the Gateways are having weight as 1, so Cyberoam will do the Load balancing in 1:1 across all Gateways.
CyberoamOS support many types of WAN links like
ADSL over Ethernet
-
Cyberoam Certified Network & Security Professional Network High Availability
4
DSL over Ethernet
MPLS over Ethernet
3G over USB
4G LTE modems over USB
3G/4G link configuration on Cyberoam
To configure 3G/4G modems (WWAN) on Cyberoam, login to the appliance from console. Choose option 4 (Cyberoam Console) and enter the command Cyberoam wwan enable
This will enable WWAN menu on Cyberoam. 3G/4G links can be configured thereon.
For more details on how to configure, refer Cyberoam documentation at http://kb.cyberoam.com/default.asp?id=1797&SID=&Lang=1
Active-Active load balancing and gateway failover
By default, all the gateways defined through Network Configuration Wizard will be defined as Active gateway.
For Active Gateway
Depending on the weight, Cyberoam will select gateway for load balancing. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.
To specify the weight, go to Network Gateway Click the Gateway Name
To add Gateway Failover Rule, go to Network Gateway Click the Gateway Name Failover Rules
-
Network High Availability Cyberoam Certified Network & Security Professional
5
Gateway failover provides link failure protection i.e. when one link goes down; the traffic is switched over to the active link. This safeguard helps provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service i.e. no downtime.
To achieve WAN failover between multiple links:
Configure links in Active-Backup setup
define Active gateway/interface
define Backup gateway/interface traffic through this link is routed only when active interface is down
define failover rule
In the event of Internet link failure, the Multilink Manager automatically sends traffic to available Internet connections without administrator intervention. If more than one link is configured as backup link, traffic is distributed among the links in the ratio of the weights assigned to them. On fail over, Backup gateway can inherit the parent gateways (Active gateway) weight or can be configured.
Failover rules
The transition from dead link to active link is based on the failover rule defined for the link.
Failover rule specifies:
how to check whether the link is active or dead
what action to take when link is not active
Failover rule has the form
IF
Condition 1
AND/OR
Condition 2
then
Action
Depending on the outcome of the condition, traffic is shifted to any other available gateway.
By default, Cyberoam creates Ping rule for every gateway. Cyberoam periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. Selection of the gateway and how much traffic is to be routed through each gateway depends on number of configured active and backup gateways.
Configure both the gateways as active
-
Cyberoam Certified Network & Security Professional Network High Availability
6
Gateway Load Balancing
By default, all the Firewall traffic is load balanced across all the ISP links in proportion to the weight.
Firewall -- > Edit any of the rule.
Depending on the weight, Cyberoam appliance will select gateway for load balancing.
It also distributes traffic across links in proportion to the ratio of weights assigned to individual link.
This weight determines how much traffic will pass through a particular link relative to the other link.
-
Network High Availability Cyberoam Certified Network & Security Professional
7
Active-Passive Gateway Failover
The Feature:
Configure a redundant link on Cyberoam.
Configure multiple backup links.
Backup links for specific routes.
Benefit:
Provides the link failure protection
By default Cyberoam assigns the weight as 1 to all the gateways configured using the initial network configuration wizard. One needs to change the weights of the gateway manually as shown above.
Backup A gateway that can be used in an active/passive setup, where traffic is routed through Backup gateway only when Active gateway is down
This option is only available when two or more Gateways are configured in Cyberoam.
Backup Gateway Details:
Activate this Gateway Configure when the Backup gateway should take over the active gateway.
-
Cyberoam Certified Network & Security Professional Network High Availability
8
Automatic failover
From the dropdown list specify when the backup gateway should take over from active Gateway. This takeover process will not require administrators intervention.
Options:
Specific Gateway - Dropdown will list all the configured gateways. Backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails.
ANY Backup gateway will take over and traffic will be routed through backup gateway when any of the active gateway fails
ALL - Backup gateway will take over and traffic will be routed through backup gateway when all the configured active gateways fail
Manual Gateway Failover
Manual failover
If you select Manually, Administrator will have to manually change the gateway if the active gateway fails.
Action on Activation Configure weight for the backup gateway . Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.
Select Inherit weight of the failed active gateway if you want Backup gateway to inherit the parent gateways (Active gateway) weight or select User pre-configured weight and specify weight.
-
Network High Availability Cyberoam Certified Network & Security Professional
9
It should be noted that Cyberoam supports (n-1) number of WAN links in case of appliance without Wi-Fi, and (n) number of links if the appliance has Wi-Fi, where (n) is the number of ports on the appliance.
The number of links on non Wi-Fi models is (n-1) because at least one port will be used for LAN.
Active-Passive gateway failover through Firewall rule
ISP1 has been included in the Route Through Gateway and ISP2 as Backup Gateway. When the ISP1 goes down it will automatically shift all traffic over ISP2
Troubleshooting Gateway Failover Conditions
Make sure to have the correct Gateway failover conditions configured on the appliance, otherwise traffic will not be failover in case of link down.
Refer to failover condition slides to configure it properly.
Email Alerts
Cyberoam will automatically send the mail alert to the administrator whenever the gateway status changes. This applies to only when Cyberoam is deployed with the Multi Gateway.
Alert mail showing the gateway status Down
-
Cyberoam Certified Network & Security Professional Network High Availability
10
-
Network High Availability Cyberoam Certified Network & Security Professional
11
Status on Dashboard
One can always check the status of the gateway from the dashboard. Green color against the gateway shows that the gateway is up, while Red shows that gateway is down.
Note: CyberoamOS supports multilink over 3G.
VPN Failover
A VPN group is a set of VPN tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the Group defines fail over priority of the connection.
Connection included in the Group must be activated and manually connected for the first time before participating in the failover. Connections will not failover to the subsequent Connection if it is manually disconnected.
When the primary connection fails, the subsequent active connection in the Group takes over without manual intervention and keep traffic moving. The entire process is transparent to users. For example if the connection established using 4th Connection in the Group is lost then 5th Connections will take over.
Cyberoam considers connection as failed connection if:
Remote peer does not reply - for Net to Net and Host to Host connection
Local Gateway fails for Road warrior connection
Prerequisites
Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server
-
Cyberoam Certified Network & Security Professional Network High Availability
12
One connection can be included in one Group only
Connection must be ACTIVE to participate in failover
Cyberoam VPN failover can be deployed in any number of possible configurations and support remote/branch offices to seamlessly establish a VPN connection to a secondary gateway, should the connection to the primary gateway be terminated, allowing for continuous uptime.
-
Network High Availability Cyberoam Certified Network & Security Professional
13
Summary
This module brought light to several of most important Cyberoam features and engineering concepts used like:
Appliance clustering
LAN Failover
Redundant power supply on the appliance
Managing multiple WAN links with gateway load balancing
Active Active deployment
Active Passive deployment
IntroductionNeed of High Network UptimeHardware LevelAppliance ClusteringRedundant Power SupplyLAN Failover
Application LevelNetwork LevelMultilink Manager3G/4G link configuration on Cyberoam
Active-Active load balancing and gateway failoverFailover rulesConfigure both the gateways as active
Gateway Load BalancingActive-Passive gateway failover through Firewall ruleTroubleshooting Gateway Failover Conditions
VPN FailoverSummary