No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPsec Dual-system Hot Backup

IPsec Dual-system Hot Backup

IPsec Dual-System Hot-Backup Purpose

To improve service reliability, generally two IPSec gateways, the master and slave ones, are directly connected through physical links.

When the master device runs properly, traffic is imported into the master device through a VRRP backup group or routes, and the SA created on the master device is backed up on the slave device.

When a master/slave device switchover occurs, traffic is imported into the slave device, and no SAs need to be recreated.

To support 1+1 backup, dual-system hot backup supports multi-instances. The instances are associated with the VRRP backup group status. The status of the service board in the instances also has an impact on the VRRP status.

When dual-system IPsec gateways are configured to improve reliability, the networking modes vary. In major networking scenarios, the L2VPN and L3VPN are deployed as security gateways.

IPsec Dual-System Hot-Backup Principles

The RBS protocol queries the VRRP management backup group status and synchronizes its status with the VRRP management backup group status. The IPsec service module on the master device sends the backup data to the RBS module, and the RBS module sends the data to the slave device. After receiving the data, the RBS module on the slave device forwards the data to corresponding service modules for processing.

Relationships between RBS and the VRRP management backup group:

RBS queries the VRRP management backup group status. The VRRP management backup group is associated with the board group status. If the board is faulty, the VRRP management backup group is instructed to switch status.

IPsec Dual-System Hot Backup Mechanism

  • Batch backup

    After the RBS channel is successfully created, batch backup is triggered.

  • Real-time backup

    When SAs are created or deleted, real-time backup is triggered.

IPsec dual-system hot-backup applications on the L2VPN

As shown in Figure 13-14, an IPsec tunnel is set up between the base station and IPsec gateway. A base station is dual-homed to two IPsec gateways using the L2VPN. The IPsec tunnel is located on the L2VPN, and IPsec dual-system hot backup is configured on the two IPsec gateways to implement master/slave protection. To implement dual-system hot backup, VRRP is used on the ciphertext side of the IPsec gateway, and FRR UNRs are used on the plaintext side. An IPsec RBS service channel is configured between two IPsec gateways.

Figure 13-14 IPsec dual-system hot backup application on the L2VPN

IPsec dual-system hot-backup applications on an L3VPN

As shown in Figure 13-15, an IPsec tunnel is set up between the base station and IPsec gateway. A base station is dual-homed to two IPsec gateways using the L3VPN. The IPsec tunnel is located on the L3VPN, and IPsec dual-system hot backup is configured on the two IPsec gateways to implement master/slave protection. To implement dual-system hot backup, direct route priorities are associated with the IPsec instance status on the ciphertext side of the IPsec gateway, and UNR priorities are associated with the IPsec instance status on the plaintext side. An IPsec RBS service channel and VRRP are configured between two IPsec gateways to distinguish the master and slave devices.
Figure 13-15 IPsec dual-system hot backup application on the L3VPN

IPsec Dual-system Hot Backup in 1:1 Mode

As shown in Figure 13-16, in dual-system hot backup scenario, devices work in active/standby mode. The active device is responsible for forwarding all traffic. When the active tunnel or active device is faulty, the standby device takes over services from the active device.
Figure 13-16 IPsec dual-system hot backup in 1:1 mode

IPsec Dual-system Hot Backup in 1+1 Mode

The IPsec dual-system hot backup in 1:1 mode cannot balance the load, whereas the IPsec dual-system hot backup in 1+1 mode can make up for this deficiency. As shown in Figure 13-17, multiple IPsec instances are configured for both devices in the dual-system hot backup scenario, and each IPsec instance is associated with a management VRRP state. You can configure different initial VRRP states to balance the IPsec traffic load.
Figure 13-17 IPsec dual-system hot backup in 1+1 mode
As shown in Figure 13-17, each device is configured with two IPsec instances and two VRRP backup groups.
  • VRRP1 monitors the first group of IPsec instances. Device A serves as the active device. IPsec traffic is forwarded over main tunnel 1. When main tunnel 1 or device A is faulty, IPsec traffic is forwarded over backup tunnel 1.
  • VRRP1 monitors the second group of IPsec instances. Device B serves as the active device. IPsec traffic is forwarded over main tunnel 2. When main tunnel 2 or device B is faulty, IPsec traffic is forwarded over backup tunnel 2.

In the IPsec dual-system hot backup in 1+1 mode, two devices work in active/standby mode and forward traffic simultaneously. If the configuration is proper, load can be perfectly balanced and reliability requirements can be satisfied.

Note that one IPsec tunnel can be bound to only one IPsec instance. Therefore, if multiple IPsec instances exist, by default, the IPsec instances use two different tunnel addresses as the security gateways of the base station. If multiple IPsec instances must use the same tunnel address, you must specify the local address in the IPsec policy and distinguish traffic based on different physical inbound interfaces.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12493

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next