ccnsp v3.0el module 10

TABLE OF CONTENTS

Introduction ........................................................................................................................................................... 1

Need of High Network Uptime ............................................................................................................................... 1

Hardware Level ...................................................................................................................................................... 1 Appliance Clustering .................................................................................................................................................. 1 Redundant Power Supply .......................................................................................................................................... 1 LAN Failover ............................................................................................................................................................... 2

Application Level ................................................................................................................................................... 3

Network Level........................................................................................................................................................ 3 Multilink Manager ..................................................................................................................................................... 3

3G/4G link configuration on Cyberoam ................................................................................................................. 4 Active-Active load balancing and gateway failover ................................................................................................... 4

Failover rules ......................................................................................................................................................... 5 Configure both the gateways as active .................................................................................................................. 5

Gateway Load Balancing ............................................................................................................................................ 6 Active-Passive gateway failover through Firewall rule .............................................................................................. 9

Troubleshooting Gateway Failover Conditions ...................................................................................................... 9

VPN Failover ........................................................................................................................................................ 11

Summary ............................................................................................................................................................. 13

Network High Availability Cyberoam Certified Network & Security Professional

1

Introduction

Computer networks and its devices are always required not only to give maximum throughput, but also to be always available. The state of a hardware and software to be available at any instance of time, is also termed as High Availability. There are several ways to achieve network high-availability, especially as business critical, and revenue generating traffic is being processed. It is always a must to implement the network in such a way so that the network uptimes are Maximum. We shall be seeing more on achieving high network uptimes in this module.

Need of High Network Uptime

As quoted by Wikipedia High availability is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period.

Users want their networks to be ready to serve them at all times. Availability refers to the ability of the user community to access the system. If a user cannot access the system, it is said to be unavailable. Generally, the term downtime is used to refer to periods when a system is unavailable.

Hardware Level

To get high uptime, or in other words, zero downtime, Hardware Level is the first case to be considered. In this type of high-availability, firstly the hardware is engineered to such an extent that it can give the minimum or zero downtime. In Cyberoam this approach is done by three most highly engineered methods.

Appliance Clustering

Redundant Power Supply

LAN Failsafe

Appliance Clustering

Appliance clustering approach by Cyberoam has CyberoamOS cluster which consists of two identical Cyberoam Layer 8 firewalls with same CyberoamOS version. CyberoamOS offloads the burden from network administrator to configure policies to both appliances. There are two approaches to this type of deployment

Active Active

Active Passive

In an Active Active deployment, CyberoamOS on both the appliances is active. Both appliances work together sharing the network traffic (depends on the policies) and hence multiplying the throughput.

In an Active Passive deployment, one Cyberoam appliance is Active, while the other goes as a backup. When the first one goes down, second one is triggered by CyberoamOS and starts functioning identical to the first one.

Note: CyberoamOS calls the active and passive appliances as primary and auxiliary respectively.

Cyberoam Supports HA in all the deployment modes i.e Bridge, Gateway, and Mixed.

Redundant Power Supply

Cyberoam appliances can not only be redundant with CyberoamOS but also with the power supply. Cyberoam Layer 8 firewall appliances come with a redundant power supply using hot-swap, which means both power supplies are on at all the times. However, if one goes down, it does not affect the Cyberoam Appliance or CyberoamOS, giving zero downtime.

Cyberoam Certified Network & Security Professional Network High Availability

2

LAN Failover

Cyberoam Research puts extreme effort to bring the best in breed Cyberoam appliances. Upon failure of an appliance, or CyberoamOS, Cyberoams LAN Failover takes over the control ensuring zero downtime. LAN Failover is available only in bridge mode. During the failover mode (also known as Hardware Bypass), CyberoamOS identity based policies and firewall rules are non functional. LAN Failover is a disaster recovery situation, upon encountering LAN Failover; a customer should immediately contact Cyberoam support.

LAN Failover is performed on a pair of ports and varies from appliance to appliance. The list below shows the port sequence and its LAN Failsafe port pair

Model number Port Pair

50iNG A & B, C & D

100iNG A & B, C & D

200iNG E & F, G & H

200iNG-XP A & B, C & D

300iNG E & F, G & H

300iNG-XP A & B, C & D

2500iNG M & N, O & P

Note: Models below 50iNG do not support LAN Failover.

LAN Failover can occur upon failure of appliance, power supply outage to the appliance, fires, or any other natural calamity, which can stop appliance functioning.


3

Application Level

For organizations it is important that business critical and revenue generating traffic gets a proper treatment. For this CyberoamOS provides application level high-availability. When Cyberoam Layer 8 firewall is deployed in Active Active mode, CyberoamOS can be configured to load balance the traffic through chosen Cyberoam Appliance. In this way, the productivity of business critical applications and revenue generating traffic like SAP, ERP, etc. can be increased. To summarize, Cyberoam not only provides hardware based high-availability, but also with the business applications so as to give zero downtime to all network applications.

Network Level

CyberoamOS not only works in case of a single WAN link, but also when there are multiple WAN links. CyberoamOSs multilink manager.

Multilink Manager

Load balancing is determined by the load metric/weight. Each link is assigned a relative weight and Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.

Administrators can set weight and define how the traffic should be directed to providers to best utilize their bandwidth investments. Weight can be selected based on:

Link capacity (for links with different bandwidth)

Link/Bandwidth cost (for links with varying cost)

By Default all the Gateways are having weight as 1, so Cyberoam will do the Load balancing in 1:1 across all Gateways.

CyberoamOS support many types of WAN links like

ADSL over Ethernet


4

DSL over Ethernet

MPLS over Ethernet

3G over USB

4G LTE modems over USB

3G/4G link configuration on Cyberoam

To configure 3G/4G modems (WWAN) on Cyberoam, login to the appliance from console. Choose option 4 (Cyberoam Console) and enter the command Cyberoam wwan enable

This will enable WWAN menu on Cyberoam. 3G/4G links can be configured thereon.

For more details on how to configure, refer Cyberoam documentation at http://kb.cyberoam.com/default.asp?id=1797&SID=&Lang=1

Active-Active load balancing and gateway failover

By default, all the gateways defined through Network Configuration Wizard will be defined as Active gateway.

For Active Gateway

Depending on the weight, Cyberoam will select gateway for load balancing. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.

To specify the weight, go to Network Gateway Click the Gateway Name

To add Gateway Failover Rule, go to Network Gateway Click the Gateway Name Failover Rules


5

Gateway failover provides link failure protection i.e. when one link goes down; the traffic is switched over to the active link. This safeguard helps provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service i.e. no downtime.

To achieve WAN failover between multiple links:

Configure links in Active-Backup setup

define Active gateway/interface

define Backup gateway/interface traffic through this link is routed only when active interface is down

define failover rule

In the event of Internet link failure, the Multilink Manager automatically sends traffic to available Internet connections without administrator intervention. If more than one link is configured as backup link, traffic is distributed among the links in the ratio of the weights assigned to them. On fail over, Backup gateway can inherit the parent gateways (Active gateway) weight or can be configured.

Failover rules

The transition from dead link to active link is based on the failover rule defined for the link.

Failover rule specifies:

how to check whether the link is active or dead

what action to take when link is not active

Failover rule has the form

IF

Condition 1

AND/OR

Condition 2

then

Action

Depending on the outcome of the condition, traffic is shifted to any other available gateway.

By default, Cyberoam creates Ping rule for every gateway. Cyberoam periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. Selection of the gateway and how much traffic is to be routed through each gateway depends on number of configured active and backup gateways.

Configure both the gateways as active


6

Gateway Load Balancing

By default, all the Firewall traffic is load balanced across all the ISP links in proportion to the weight.

Firewall -- > Edit any of the rule.

Depending on the weight, Cyberoam appliance will select gateway for load balancing.

It also distributes traffic across links in proportion to the ratio of weights assigned to individual link.

This weight determines how much traffic will pass through a particular link relative to the other link.


7

Active-Passive Gateway Failover

The Feature:

Configure a redundant link on Cyberoam.

Configure multiple backup links.

Backup links for specific routes.

Benefit:

Provides the link failure protection

By default Cyberoam assigns the weight as 1 to all the gateways configured using the initial network configuration wizard. One needs to change the weights of the gateway manually as shown above.

Backup A gateway that can be used in an active/passive setup, where traffic is routed through Backup gateway only when Active gateway is down

This option is only available when two or more Gateways are configured in Cyberoam.

Backup Gateway Details:

Activate this Gateway Configure when the Backup gateway should take over the active gateway.


8

Automatic failover

From the dropdown list specify when the backup gateway should take over from active Gateway. This takeover process will not require administrators intervention.

Options:

Specific Gateway - Dropdown will list all the configured gateways. Backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails.

ANY Backup gateway will take over and traffic will be routed through backup gateway when any of the active gateway fails

ALL - Backup gateway will take over and traffic will be routed through backup gateway when all the configured active gateways fail

Manual Gateway Failover

Manual failover

If you select Manually, Administrator will have to manually change the gateway if the active gateway fails.

Action on Activation Configure weight for the backup gateway . Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.

Select Inherit weight of the failed active gateway if you want Backup gateway to inherit the parent gateways (Active gateway) weight or select User pre-configured weight and specify weight.


9

It should be noted that Cyberoam supports (n-1) number of WAN links in case of appliance without Wi-Fi, and (n) number of links if the appliance has Wi-Fi, where (n) is the number of ports on the appliance.

The number of links on non Wi-Fi models is (n-1) because at least one port will be used for LAN.

Active-Passive gateway failover through Firewall rule

ISP1 has been included in the Route Through Gateway and ISP2 as Backup Gateway. When the ISP1 goes down it will automatically shift all traffic over ISP2

Troubleshooting Gateway Failover Conditions

Make sure to have the correct Gateway failover conditions configured on the appliance, otherwise traffic will not be failover in case of link down.

Refer to failover condition slides to configure it properly.

Email Alerts

Cyberoam will automatically send the mail alert to the administrator whenever the gateway status changes. This applies to only when Cyberoam is deployed with the Multi Gateway.

Alert mail showing the gateway status Down


10


11

Status on Dashboard

One can always check the status of the gateway from the dashboard. Green color against the gateway shows that the gateway is up, while Red shows that gateway is down.

Note: CyberoamOS supports multilink over 3G.

VPN Failover

A VPN group is a set of VPN tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the Group defines fail over priority of the connection.

Connection included in the Group must be activated and manually connected for the first time before participating in the failover. Connections will not failover to the subsequent Connection if it is manually disconnected.

When the primary connection fails, the subsequent active connection in the Group takes over without manual intervention and keep traffic moving. The entire process is transparent to users. For example if the connection established using 4th Connection in the Group is lost then 5th Connections will take over.

Cyberoam considers connection as failed connection if:

Remote peer does not reply - for Net to Net and Host to Host connection

Local Gateway fails for Road warrior connection

Prerequisites

Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server


12

One connection can be included in one Group only

Connection must be ACTIVE to participate in failover

Cyberoam VPN failover can be deployed in any number of possible configurations and support remote/branch offices to seamlessly establish a VPN connection to a secondary gateway, should the connection to the primary gateway be terminated, allowing for continuous uptime.


13

Summary

This module brought light to several of most important Cyberoam features and engineering concepts used like:

Appliance clustering

LAN Failover

Redundant power supply on the appliance

Managing multiple WAN links with gateway load balancing

Active Active deployment

Active Passive deployment

IntroductionNeed of High Network UptimeHardware LevelAppliance ClusteringRedundant Power SupplyLAN Failover

Application LevelNetwork LevelMultilink Manager3G/4G link configuration on Cyberoam

Active-Active load balancing and gateway failoverFailover rulesConfigure both the gateways as active

Gateway Load BalancingActive-Passive gateway failover through Firewall ruleTroubleshooting Gateway Failover Conditions

VPN FailoverSummary

ccnsp v3.0el module 10

Documents