Tải bản đầy đủ - 0 (trang)
Chapter 5. Designing for High Availability

Chapter 5. Designing for High Availability

Tải bản đầy đủ - 0trang

ManagingPathSymmetryInordertoensurethatthe

controlplaneinformationrequiredtoestablish,maintain,

andteardownPhase1and2IPSecSAscanbe

communicatedsuccessfullybetweentwoIPSecVPNtunnel

terminationpoints,theremustbeameansbywhichto

ensurethattheIPSeccontrolplanetrafficfollowsthesame

returnpathasitsoriginalpath.Inthischapter,wewill

explorehowpathasymmetrycanpreventsuccessful

negotiationandoperationofanIPSecVPNtunnelwhentwo

statelessfirewallsareinjectedinbetweenthetwotunnel

terminationendpoints.

LoadBalancingLoadbalancingistraditionallymore

focusedonincreasingtheoverallperformanceand

scalabilityofIPSecVPNdeployment,buttheeffectiveuseof

clusteringandloadbalancinginthedesignalsoindirectly

improvesavailability.Wewilldiscussseveralareasofthe

overallsystemarchitecturethatcanbebalancedacross

multipleIPSecVPNcomponentsinthecontextofimproving

theoverallavailabilityoftheIPSecVPNdesign.

Thescopeofthischapterislimitedtopresentinganoverviewof

HAconceptsandareasinwhichHAcanbebuiltintoanIPSec

VPN;therefore,specificdesignsolutionsforlocaland

geographicIPSecHAarenotdiscussedinthischapter,but

ratherdiscussedinChapter6,"Site-to-SiteLocalHASolutions,"

Chapter7,"Site-to-SiteGeographicHASolutions,"andChapter

9,"RemoteAccessVPNHighAvailability."



NetworkandPathRedundancy

IPSecVPNsareaLa:yer3VPNtechnologyforsecuringIPtraffic

andthereforerelyonastableIP-enabledfoundationforstability

andHA.Assuch,onecriticaldesignconsiderationforIPSec

VPNsistheincorporationofresiliencyandHAbetweenthetwo

IP-enabledterminationpointsoftheIPSecVPNtunnel.Consider

thethreesamplenetworktopologiesillustratedinFigures5-1

through5-3.Wewillusethesetopologiestoillustratehow

IPSecHAincreasesassinglepointsoffailurewithinthe

underlyingIPfoundationbetweenthetwoIPSectunnel

terminationpointsareeliminated.



Figure5-1.Site-to-SiteVPNwithoutPath

Redundancy



[Viewfullsizeimage]



ThetopologyinFigure5-1illustratesascenarioinwhichno

redundancyisdesignedintotheunderlyingIPinfrastructure.

Thistypeofdesignprovidesmanydifferentpointsatwhichthe

IPSecVPNtunnelcouldfailduetoafailureinoneofthemany

nodesinbetweentheterminationpointsoftheIPSectunnel:



InterfaceFailureThetwoserialinterfacesconnecting

WAN_EdgeAandWAN_EdgeBpresentsinglepointsof

failurefortheVPNtunnel.Ifoneofthoseinterfaceson

eitherrouterweretofail,thentheInternetKeyExchange

(IKE)andIPSecSAscomprisingtheIPSecVPNtunnelwould

havetoberenegotiateduponrecoveryofthatinterface.

IPSeccanbeconfiguredtousemultipleinterfacesto

eliminatethesefailurepoints,increasingtheavailabilityof

theIPSecVPN.Figure5-2illustratesatopologyinwhich

pathredundancyisdesignedbetweentwoVPNgatewaysat

theinterfacelevelonWAN_EdgeAandWAN_EdgeB.



Figure5-2.Dual-InterfacePathRedundancy



[Viewfullsizeimage]



WANInfrastructure/CarrierFailureInthedesign

illustratedinFigure5-1,theintegrityoftheIPSecVPN

tunneldependsdirectlyonthestabilityoftheWANlink

betweenWAN_EdgeAandB.Afailureontheprovider

networkwouldcausetheIPSecVPNtunneltobe

renegotiatedoncethefailureisrepaired.Fortraffic

requiringhigheravailabilityinthecryptopath,abackup

WANlinkcanbedeployed,asdepictedinFigure5-2.

NodeFailureEvenwithredundancybuiltintothedesignat

aninterfaceandlinklevelbetweenthetwoIPSecVPN

gateways,therestillexiststhepossibilitythattheIPSec



VPNtunnelcouldfailduetoasystemfailureontheVPN

gatewayitself.Figure5-3depictsatopologythatprovidesa

greaterdegreeHAattheWANedge.



Figure5-3.WANGateway,Interface,and

CarrierRedundancy



[Viewfullsizeimage]



ThetopologyinFigure5-3eliminatesallsinglepointsoffailure

betweensitesAandB,includinginterface-level,link-level,and

node-levelfailurepoints.Althoughitisthemostcostlyofthe

threedesigns,thetopologyinFigure5-3providesthegreatest

degreeofpathavailabilityfortheIPSecVPNtunnel,anditis

thereforethesoundestIPSecHAdesign.

Figures5-1through5-3illustratehowdesigningresiliencyinto

theinfrastructuresupportinganIPSecVPNtunnelincreasesthe

effectivenessoftheIPSecHAdesignitselfbysteppingthrough

theeliminationofsinglepointsoffailure.Everyremovalofa

singlepointoffailurealongtheIPSecVPNtunnelpath,

however,alsoincreasesthecostoftheoverallsolution.Asa

result,administratorsshouldconsiderthebusiness

requirementsofapplicationdatatobeincludedintheencrypted

pathwheninvestinginthisareaofIPSecHA.



IPSecTunnelTerminationRedundancy

TheIPSecHAdesigninFigure5-3eliminatesallsinglepointsof

failurebetweenthetwotunnelterminationpointsoftheIPSec

VPNexceptonethetunnelterminationpointitself.Indeed,allof

thenetworktopologiesdiscusseduptothispointpresentsingle

pointsoffailureattheactualtunnelterminationpointitself.In

thissection,wewilldiscussthreemethodsfordesigningHAinto

theterminationoftheIPSecVPNtunnel:

TunnelTerminationonHighlyAvailableInterfaces

TerminatingtheIPSectunnelonaninterfacethatisresilient

tothefailureofanyotherphysicalinterfaceonthegateway

increasestheavailabilityoftheIPSecTunnel.

TunnelTerminationonHSRP/VRRPVirtualInterfaces

WithCiscoIOS,IPSecVPNtunnelscanbeterminatedon

HSRPVirtualInterfaces.Thiseffectivelyallowsbox-level

redundancyattheterminationpointsoftheIPSectunnel

itself.

TunnelTerminationwithMultiplePeerStatements

RedundantIPsecVPNpeerstatementscanbeusedto

provideredundancytomultipleredundantpointsof

terminationontheoppositeendoftheIPSecVPNtunnel.

Inadditiontothesetunnelterminationredundancymethods,

redundancycanbebuiltintotheIPSecVPNtunnel

infrastructurebetweentheterminationpointsoftheIPSecVPN

tunnel.Theavailabilityoftheroutingprotocolthatprovidesthe

underlyingtransportbetweenIPSecVPNtunneltermination

pointsthereforehasamaterialimpactonthesystem-level

IPSecVPNHA.



MultiplePhysicalInterfaceHAwithHighly

AvailableTunnelTerminationInterfaces

Nowthatredundancyhaseffectivelybeenbuiltintothepath

betweenthetwotunnelterminationpointsoftheIPSecVPN

tunnel(Figure5-3),whathappenswhenafailureoccursonone

oftheactualIPSectunnelterminationpointsthemselves?Allof

theextrafundinginvestedinpathHAwouldbenegatedbysuch

afailure.Figure5-4extendsthedesigndepictedinFigure5-3

toincludetermination-pointredundancyusinghigh-available

loopbackinterfaces.



Figure5-4.TunnelTerminationonHighly

AvailableInterfaces



[Viewfullsizeimage]



ThedesignillustratedinFigure5-4extendspathHAtothe

tunnelterminationpointitselfbyutilizingasecondaryFast

EthernetportontheVPNgateways,IPSec_AandIPSec_B.

CiscoIOSallowstheadministratortosourcetheIPSecVPN

tunnelfromaloopbackinterfaceonIPSec_AandIPSec_B,

effectivelyallowingthetwoVPNgatewaystomaintaintheIPSec

VPNtunnelindependentlyofafailureononeofthetwoFast



Ethernetinterfacesonthebox.Likewise,thetargettermination

pointsareloopbackinterfaces,allowingfortunneltermination

pointHAonboththeoriginationandterminationsidesofthe

IPSectunnel.



TunnelTerminationHAUsingHSRP/VRRP

VirtualInterfaces

UsingloopbackinterfacestoterminatetheIPSecVPNtunnel,as

displayedinFigure5-4,allowstheVPNgatewaystoleverage

redundantinterfaces(Fa0/0andFa0/1)onIPSec_Aand

IPSec_BforincreasedHA.However,thissolutiondoesnot

provideredundancyinascenarioinwhichthegatewayitself

fails.Todesignforbox-leveltunnelterminationpoint

redundancy,HSRP/VRRPvirtualinterfacescanbeusedto

originateandterminatetheIPSecVPNtunnel.Figure5-5

presentsanextensionofFigure5-3thatincludesbox-level

tunnelterminationHAusinganHSRPVirtualInterface.



Figure5-5.TunnelTerminationPointHAUsing

HSRPVirtualInterfaces



[Viewfullsizeimage]



ThedesignillustratedinFigure5-5allowsforagreaterscopeof

tunnelterminationredundancy.Notonlydoesiteliminatethe

terminationinterfaceitselfasasinglepointoffailure,butitalso

eliminatestheVPNgatewayitselfasasinglepointoffailure.For

example,ifIPSec_A1weretoexperienceatotalsystemfailure

dueto,say,apowerfailureinthebuilding,IPSec_A2would

takeoverastheIPSecVPNtunnelterminationpoint,thereby

preservingtheconsistencyoftheIPSecVPN.Thistypeof

designhastwovariations:

StatelessIPSecHAStatelessIPSecHAdescribesa

situationinwhichaIPSecVPNtunnelisterminatedona

virtualinterfaceusingHSRPandVRRP,butnostateis

communicatedbetweentheredundantIPSecVPNgateways

intheHSRPgroupthatareservingasthephysicalpointsof

terminationfortheIPSecVPNtunnel.Thismethodofboxleveltunnelterminationredundancyinvolvesateardownof

theIPSecVPNtunnelitselfusingIKEkeepaliveswhena

failureoccursontheactiveHSRProuter(IPSec_A1/B1in

Figure5-5).Oncethisteardownoccurs,anewtunnelis

createdusingthesamevirtualinterface.Thisprocess

involvestherenegotiationofPhase1and2SAswiththe

newlyactiveHSRP/VRRP-enabledHSRPRouter.Aswe'll

discussinChapter6,"Site-to-SiteLocalHASolutions,"the

teardownandrenegotiationofSAsinastatelessdesigncan

leadtoasomewhatlengthyreconvergenceoftheIPSec

VPNtunnelinafailoverscenario.Forenvironmentswhere

reconvergenceiscriticalandHAneedsareparamount,a

statefulIPSecHAdesignshouldbeconsidered.

StatefulIPSecHAStatefulIPSecHAcanalsobedeployed

usingthesametopologyasastatelessIPSecHAdesign,

suchastheoneinFigure5-5.UnlikestatelessIPSecHA

designs,statefulIPSecHAdesignsarecapableof



communicatingthestateoftheIPSecandISAKMPSADBto

theredundantIPSecVPNgatewayintheHSRP/VRRPgroup

priortofailover.ThisallowstheIPSecVPNtunnelsonthe

failednodetofailovertotheredundantnodewithoutthe

remoteendoftheIPSecVPNtunnelnoticingthatafailover

hasoccurred.WithIPSecVPNgatewaysrunningCiscoIOS,

SADBinformationiscommunicatedfromtheactiveIPSec

VPNgatewaytothestandbyIPSecVPNgatewayusing

StatefulSwitchover(SSO)andtheStreamControlTransport

Protocol(SCTP).ThecommunicationofSADBinformation

betweenactiveandstandbyVPNgatewaysintheHSRP

groupallowsthestandbyIPSecVPNgatewayinthe

HSRP/VRRPgrouptotakeoverastheIPSecVPNtunnel

terminationpointinfailoverscenariowithouttheteardown

andrenegotiationofPhase1and2SAsrequiredinstateless

IPSecHAoperations(thestandbyrouteralreadyhasthose

SAsinitsSADBpriortofailover).Thedeprecationofthe

requirementofreapingstaleSAsandrenegotiatingnew

onesinafailoverscenarioleadstodramaticallyreduced

reconvergencetimeswithstatefulIPSecHA.



Note

ThedetailsofstatefulandstatelessIPSecHAdesignbetween

routersinanHSRPgroup,includingconfiguration,failover

operations,andstepstominimizereconvergencedelayimpact,

arediscussedingreaterdetailinChapter6,"Site-to-SiteLocal

HASolutions."



HAwithMultiplePeerStatements

Inmanycases,suchasinsituationsinwhichgeographicIPSec



HAisrequired,itmaynotbefeasibletoterminateanIPSec

tunnelonavirtualinterfaceusingHSRPand/orVRRP.Figure56depictsanexampleofonesuchsituation.



Figure5-6.GeographicIPSecHAUsingMultiple

PeeringStatementsinEachCryptoMapon

IPSec_A1,A2,B1,andB2



[Viewfullsizeimage]



InFigure5-6,IPSec_A1andIPSec_A2arenowlocatedin

differentwiringclosets,andthereforedosharethesameLayer

3boundaryfacingtheWANedgerouters(WAN_EdgeA1and

WAN_EdgeA2).ThesameconditionsexistatsiteBforrouters

IPSec_B1andIPSec_B2.Assuch,HSRPorVRRPhelloscannot

besentbetweenIPSec_A1andA2orbetweenIPSec_B1andB2

forIPSectunnelterminationonavirtualinterface.Inthis

situation,multiplepeeringstatementscanbeincludedinthe

cryptomapsforroutersIPSec_A1,A2,B1,andB2,creatinga

backupIPSecVPNtunnelforencryptedtrafficonegressfrom

eachIPSecVPNgateway.Figure5-7showstheloopback-to-



loopbackIPSecpeeringsessionsbetweenIPSec_A1,A2,B1,

andB2usingredundantpeeringstatementstoprotecttraffic

fromNetwork_AtoNetwork_Bintheencryptedpath.



Figure5-7.Loopback-to-LoopbackIPSecPeering

SessionswithRedundantPeerStatements



[Viewfullsizeimage]



Note

Furtherexplanationofdesignconsiderationsandconfiguration

ofsourcingandterminatingIPSectunnelsonloopback

interfacescanbefoundinChapter6,"Site-to-SiteLocalHA

Solutions."MoredetailonIPSecVPNdesignwithredundant

IPSecpeeringstatementscanbefoundinChapter7,"Site-toSiteGeographicHASolutions."



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 5. Designing for High Availability

Tải bản đầy đủ ngay(0 tr)

×