Enterasys Networks X-PeditionTM Configuring OSPF with Fail Over (Redundancy), Server 1

VPN Applications

XSR User’s Guide 14-17

The VPN interface on the server may terminate a mix of connections - some of which may be

Client-type connections and others may be Network Extension connections.

The following OSPF settings should be applied in this scenario:

Server

Apply the same settings as in the Client Mode scenario. OSPF is enabled on Fast/GigabitEthernet

1 and VPN 1 interfaces and is disabled on Fast/GigabitEthernet 2.

Client

• As in the Client Mode model, OSPF is enabled on VPN 1 and disabled on Fast/

GigabitEthernet 2.

• Additionally, OSPF is enabled on Fast/GigabitEthernet 1 because the route to network Fast/

GigabitEthernet 1 should be learned at the central site's network.

The tunnel associated with interface VPN 1 on the client is created by EZ-IPsec, which

automatically creates and attaches two sets of SPDs to interface Fast/GigabitEthernet 2. The first

set specifies that traffic to and from the IP address assigned to the VPN interface should be

encrypted. The second SPD specifies that traffic originating from and destined for the segment

attached to Fast/GigabitEthernet 1 should be encrypted.

Network extension mode lets you add more segments attached to interface F1. If those segments

are advertised using OSPF, routes to those segments will be known at the central site network.

But, any traffic destined for those segments will be dropped because security policy described by

crypto maps prohibits such traffic.

This situation may be addressed by extending crypto maps attached to both the client and the

server. An example of such a network extension is illustrated in “XSR with VPN - Central

Gateway” on page 14-36.

Configuring OSPF with Fail Over (Redundancy)

In this scenario, the client initiates two tunnels to two servers which are connected on their trusted

sides. With alternate paths to the trusted network behind the servers (via the client's two tunnels),

OSPF learns two paths of identical costs but uses the first learned path.

Should the tunnel serving that path become non-functional, OSPF recalculates the routes and uses

the alternate path. The interval between link failure and the switch to the new route depends on

the following OSPF parameters set on the VPN interfaces:

•hello-interval - This specifies how often hello packets are sent to the neighbor.

•dead-interval - This sets the peak interval that may elapse without receiving a hello packet from

the neighbor before the link is declared non-operational.

Setting those parameters low will generate more traffic on the link but guarantees faster detection

of link failure. As shown in Figure 14-10, OSPF is enabled on the following interfaces:

Server 1

Interfaces Fast/GigabitEthernet 1 and VPN 1