TABLE OF CONTENTS Introduction........................................................................................................................................................... 1 Need of High Network Uptime ............................................................................................................................... 1 Hardware Level ...................................................................................................................................................... 1 Appliance Clustering ..................................................................................................................................................1 Redundant Power Supply ..........................................................................................................................................1 LAN Failover ...............................................................................................................................................................2 Application Level ................................................................................................................................................... 3 Network Level........................................................................................................................................................ 3 Multilink Manager .....................................................................................................................................................3 3G/4G link configuration on Cyberoam .................................................................................................................4 Active-Active load balancing and gateway failover ...................................................................................................4 Failover rules .........................................................................................................................................................5 Configure both the gateways as active ..................................................................................................................5 Gateway Load Balancing ............................................................................................................................................6 Active-Passive gateway failover through Firewall rule ..............................................................................................9 Troubleshooting Gateway Failover Conditions ......................................................................................................9 VPN Failover ........................................................................................................................................................ 11 Summary ............................................................................................................................................................. 13
Network High Availability
Cyberoam Certified Network & Security Professional
Introduction Computer networks and its devices are always required not only to give maximum throughput, but also to be always available. The state of a hardware and software to be available at any instance of time, is also termed as “High Availability”. There are several ways to achieve network high-availability, especially as business critical, and revenue generating traffic is being processed. It is always a must to implement the network in such a way so that the network uptimes are Maximum. We shall be seeing more on achieving high network uptimes in this module.
Need of High Network Uptime As quoted by Wikipedia “High availability is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period.” Users want their networks to be ready to serve them at all times. Availability refers to the ability of the user community to access the system. If a user cannot access the system, it is said to be unavailable. Generally, the term downtime is used to refer to periods when a system is unavailable.
Hardware Level To get high uptime, or in other words, “zero downtime”, Hardware Level is the first case to be considered. In this type of high-availability, firstly the hardware is engineered to such an extent that it can give the minimum or zero downtime. In Cyberoam this approach is done by three most highly engineered methods.
Appliance Clustering
Redundant Power Supply
LAN Failsafe
Appliance Clustering Appliance clustering approach by Cyberoam has CyberoamOS cluster which consists of two identical Cyberoam Layer 8 firewalls with same CyberoamOS version. CyberoamOS offloads the burden from network administrator to configure policies to both appliances. There are two approaches to this type of deployment
Active – Active
Active – Passive In an Active – Active deployment, CyberoamOS on both the appliances is active. Both appliances work together sharing the network traffic (depends on the policies) and hence multiplying the throughput. In an Active – Passive deployment, one Cyberoam appliance is Active, while the other goes as a backup. When the first one goes down, second one is triggered by CyberoamOS and starts functioning identical to the first one. Note: CyberoamOS calls the active and passive appliances as primary and auxiliary respectively. Cyberoam Supports HA in all the deployment modes i.e Bridge, Gateway, and Mixed.
Redundant Power Supply Cyberoam appliances can not only be redundant with CyberoamOS but also with the power supply. Cyberoam Layer 8 firewall appliances come with a redundant power supply using hot-swap, which means both power supplies are on at all the times. However, if one goes down, it does not affect the Cyberoam Appliance or CyberoamOS, giving zero downtime.
1
Cyberoam Certified Network & Security Professional
Network High Availability
LAN Failover Cyberoam Research puts extreme effort to bring the best in breed Cyberoam appliances. Upon failure of an appliance, or CyberoamOS, Cyberoam’s LAN Failover takes over the control ensuring zero downtime. LAN Failover is available only in bridge mode. During the failover mode (also known as Hardware Bypass), CyberoamOS identity based policies and firewall rules are non functional. LAN Failover is a disaster recovery situation, upon encountering LAN Failover; a customer should immediately contact Cyberoam support. LAN Failover is performed on a pair of ports and varies from appliance to appliance. The list below shows the port sequence and its LAN Failsafe port pair Model number Port Pair 50iNG A & B, C & D 100iNG A & B, C & D 200iNG E & F, G & H 200iNG-XP A & B, C & D 300iNG E & F, G & H 300iNG-XP A & B, C & D 2500iNG M & N, O & P Note: Models below 50iNG do not support LAN Failover. LAN Failover can occur upon failure of appliance, power supply outage to the appliance, fires, or any other natural calamity, which can stop appliance functioning.
2
Network High Availability
Cyberoam Certified Network & Security Professional
Application Level For organizations it is important that business critical and revenue generating traffic gets a proper treatment. For this CyberoamOS provides application level high-availability. When Cyberoam Layer 8 firewall is deployed in Active – Active mode, CyberoamOS can be configured to load balance the traffic through chosen Cyberoam Appliance. In this way, the productivity of business critical applications and revenue generating traffic like SAP, ERP, etc. can be increased. To summarize, Cyberoam not only provides hardware based high-availability, but also with the business applications so as to give zero downtime to all network applications.
Network Level CyberoamOS not only works in case of a single WAN link, but also when there are multiple WAN links. CyberoamOS’s multilink manager.
Multilink Manager Load balancing is determined by the load metric/weight. Each link is assigned a relative weight and Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link. Administrators can set weight and define how the traffic should be directed to providers to best utilize their bandwidth investments. Weight can be selected based on:
Link capacity (for links with different bandwidth)
Link/Bandwidth cost (for links with varying cost) By Default all the Gateways are having weight as “1”, so Cyberoam will do the Load balancing in 1:1 across all Gateways’. CyberoamOS support many types of WAN links like
ADSL over Ethernet
3
Cyberoam Certified Network & Security Professional
DSL over Ethernet
MPLS over Ethernet
3G over USB
4G LTE modems over USB
Network High Availability
3G/4G link configuration on Cyberoam To configure 3G/4G modems (WWAN) on Cyberoam, login to the appliance from console. Choose option 4 (Cyberoam Console) and enter the command “Cyberoam wwan enable” This will enable WWAN menu on Cyberoam. 3G/4G links can be configured thereon. For more details on how to configure, refer Cyberoam documentation at http://kb.cyberoam.com/default.asp?id=1797&SID=&Lang=1
Active-Active load balancing and gateway failover By default, all the gateways defined through Network Configuration Wizard will be defined as “Active” gateway. For Active Gateway Depending on the weight, Cyberoam will select gateway for load balancing. Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.
To specify the weight, go to Network Gateway Click the Gateway Name
To add Gateway Failover Rule, go to Network Gateway Click the Gateway Name Failover Rules
4
Network High Availability
Cyberoam Certified Network & Security Professional
Gateway failover provides link failure protection i.e. when one link goes down; the traffic is switched over to the active link. This safeguard helps provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service i.e. no downtime. To achieve WAN failover between multiple links:
Configure links in Active-Backup setup
define Active gateway/interface
define Backup gateway/interface – traffic through this link is routed only when active interface is down
define failover rule
In the event of Internet link failure, the Multilink Manager automatically sends traffic to available Internet connections without administrator intervention. If more than one link is configured as backup link, traffic is distributed among the links in the ratio of the weights assigned to them. On fail over, Backup gateway can inherit the parent gateway’s (Active gateway) weight or can be configured.
Failover rules The transition from dead link to active link is based on the failover rule defined for the link. Failover rule specifies: •
how to check whether the link is active or dead
•
what action to take when link is not active
Failover rule has the form IF Condition 1 AND/OR Condition 2 then Action Depending on the outcome of the condition, traffic is shifted to any other available gateway. By default, Cyberoam creates Ping rule for every gateway. Cyberoam periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. Selection of the gateway and how much traffic is to be routed through each gateway depends on number of configured active and backup gateways.
Configure both the gateways as active
5
Cyberoam Certified Network & Security Professional
Network High Availability
Gateway Load Balancing By default, all the Firewall traffic is load balanced across all the ISP links in proportion to the weight. Firewall -- > Edit any of the rule.
6
Depending on the weight, Cyberoam appliance will select gateway for load balancing.
It also distributes traffic across links in proportion to the ratio of weights assigned to individual link.
This weight determines how much traffic will pass through a particular link relative to the other link.
Network High Availability
Cyberoam Certified Network & Security Professional
Active-Passive Gateway Failover The Feature: Configure a redundant link on Cyberoam. Configure multiple backup links. Backup links for specific routes. Benefit: Provides the link failure protection
By default Cyberoam assigns the weight as 1 to all the gateways configured using the initial network configuration wizard. One needs to change the weights of the gateway manually as shown above. Backup – A gateway that can be used in an active/passive setup, where traffic is routed through Backup gateway only when Active gateway is down • This option is only available when two or more Gateways are configured in Cyberoam.
Backup Gateway Details: Activate this Gateway – Configure when the Backup gateway should take over the active gateway.
7
Cyberoam Certified Network & Security Professional
Network High Availability
Automatic failover From the dropdown list specify when the backup gateway should take over from active Gateway. This takeover process will not require administrator’s intervention. Options: Specific Gateway - Dropdown will list all the configured gateways. Backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails. ANY – Backup gateway will take over and traffic will be routed through backup gateway when any of the active gateway fails ALL - Backup gateway will take over and traffic will be routed through backup gateway when all the configured active gateways fail
Manual Gateway Failover
Manual failover If you select “Manually”, Administrator will have to manually change the gateway if the active gateway fails. Action on Activation – Configure weight for the backup gateway . Cyberoam distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link. Select “Inherit weight of the failed active gateway” if you want Backup gateway to inherit the parent gateway’s (Active gateway) weight or select “User pre-configured weight” and specify weight.
8
Network High Availability
Cyberoam Certified Network & Security Professional
It should be noted that Cyberoam supports (n-1) number of WAN links in case of appliance without Wi-Fi, and (n) number of links if the appliance has Wi-Fi, where (n) is the number of ports on the appliance. The number of links on non Wi-Fi models is (n-1) because at least one port will be used for LAN.
Active-Passive gateway failover through Firewall rule
ISP1 has been included in the Route Through Gateway and ISP2 as Backup Gateway. When the ISP1 goes down it will automatically shift all traffic over ISP2
Troubleshooting Gateway Failover Conditions Make sure to have the correct Gateway failover conditions configured on the appliance, otherwise traffic will not be failover in case of link down. Refer to failover condition slides to configure it properly. Email Alerts Cyberoam will automatically send the mail alert to the administrator whenever the gateway status changes. This applies to only when Cyberoam is deployed with the Multi Gateway. Alert mail showing the gateway status “Down “
9
Cyberoam Certified Network & Security Professional
10
Network High Availability
Network High Availability
Cyberoam Certified Network & Security Professional
Status on Dashboard
One can always check the status of the gateway from the dashboard. Green color against the gateway shows that the gateway is up, while Red shows that gateway is down. Note: CyberoamOS supports multilink over 3G.
VPN Failover A VPN group is a set of VPN tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the Group defines fail over priority of the connection. Connection included in the Group must be activated and manually connected for the first time before participating in the failover. Connections will not failover to the subsequent Connection if it is manually disconnected. When the primary connection fails, the subsequent active connection in the Group takes over without manual intervention and keep traffic moving. The entire process is transparent to users. For example if the connection established using 4th Connection in the Group is lost then 5th Connections will take over. Cyberoam considers connection as failed connection if:
Remote peer does not reply - for Net to Net and Host to Host connection
Local Gateway fails – for Road warrior connection Prerequisites
Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server
11
Cyberoam Certified Network & Security Professional
Network High Availability
One connection can be included in one Group only
Connection must be ACTIVE to participate in failover Cyberoam VPN failover can be deployed in any number of possible configurations and support remote/branch offices to seamlessly establish a VPN connection to a secondary gateway, should the connection to the primary gateway be terminated, allowing for continuous uptime.
12
Network High Availability
Cyberoam Certified Network & Security Professional
Summary This module brought light to several of most important Cyberoam features and engineering concepts used like:
Appliance clustering
LAN Failover
Redundant power supply on the appliance
Managing multiple WAN links with gateway load balancing
Active – Active deployment
Active – Passive deployment
13