ADTRAN NetVanta Internet-Based WAN Backup User Manual

Configuration Guide

Internet-based WAN Backup Solutions using NetVanta

Overview

This configuration guide delineates the advantages of using the NetVanta product line and the Internet for wide area network (WAN) connectivity. It includes example scenarios using Internet-based backup solutions.

61200890L1-29.4A

May 2005

Introduction Internet-based WAN Backup Solutions using NetVanta

Introduction

WAN communication links are traditionally the weakest component in computer networking. Unlike LAN components, which are typically in the owner's direct physical and administrative control, the facilities that make up the WAN link belong to and are controlled by a third party. These facilities also cover wide geographic areas, making them more susceptible to physical harm. Such characteristics make WAN links the single largest contributor to network downtime.

When the WAN link is critical to a network's operation, it is wise to design towards WAN resiliency. In some cases, the volume and criticality of the WAN might dictate the need to completely duplicate the WAN with redundant and independent facilities. The cost of this solution can be quite high, so the benefit must be carefully weighed.

Another common solution, especially in large hub and spoke networks, is to use dial backup around the WAN provider. In this solution, should a spoke lose its WAN connectivity to the hub, it will place a call to a dial-up server located at the hub, completely bypassing the WAN. While this is a well known solution that has been used for many years, the cost of dial-up server ownership, maintenance, and long distance toll charges can be quite high.

The Internet as an Alternative

Using the stateful inspection firewall and powerful IPSec VPN capabilities provided in the NetVanta router product line, the Internet can be a useful and low cost alternative for WAN connectivity -- as a backup or even as a primary connection. Internet use eliminates the dial-up server and its ownership and maintenance expenses, in effect outsourcing management of the modem bank to local ISPs at each location. It also eliminates toll charges since each location can connect via a local ISP. A site can remain connected indefinitely for a flat fee in many areas, incurring no toll charges.

Following are descriptions and detailed examples of several Internet-based backup solutions. These solutions have been tested with AOS Version 8.0.22E.

Note that detailed firewall design and VPN design are dependent on each network's unique requirements. The examples shown here are simpified to focus on the mechanics of using a primary and backup connection.

Also note that in these examples, the NetVanta is the remote site router. A NetVanta or a third party device can be used as the central router and the central FW/VPN gateway.

Internet-based WAN Backup Solutions using NetVanta The Internet as an Alternative

Solution 1 - Primary = Frame Relay Service Provider, Alternate = ISP via Dial-up

In this scenario (see Figure 1), a Frame Relay service provider supplies the Frame Relay access line and virtual circuit that connects a NetVanta remote site directly to the central site. Since this link is entirely over a provider's Frame Relay network, no firewall or VPN is required to protect the customer's network. The central site also has a protected Internet connection and an IPSec VPN gateway for Internet-based access to the central site network. The remote site has a dial-up resource (analog modem or ISDN) and an account at a local ISP. Should the remote's Frame Relay link fail, a dial-up connection is invoked to a local ISP. An IPSec VPN connection is established across the Internet to the central site VPN gateway, re-establishing connectivity between the two sites. The NetVanta uses its stateful inspection firewall to protect the remote network while connected to the ISP. When the Frame Relay connection is re-established, the dial backup connection is dropped and the IPSec connection ages out. The dial connection to the Internet is used solely as a backup link, and general Internet access is not provided.

10.254.255.26/28

10.1.1.240/24

Figure 1. Primary WAN Connectivity via Frame Relay Service Provider, Backup Connectivity via

IPsec VPN over Dial-up Internet Connection

10.254.255.25/28

10.254.255.85/28

172.31.4.0/24

Remote NetVanta Router Configuration:

! ! hostname "NV_Remote" ! ip routing ! ip firewall ! ip crypto ! crypto ike policy 100 initiate aggressive no respond

The Internet as an Alternative Internet-based WAN Backup Solutions using NetVanta

local-id fqdn REMOTE peer 10.254.255.85 attribute 10 authentication pre-share group 2 lifetime 300 ! crypto ike remote-id fqdn CENTRAL. preshared-key 1234567890 ! crypto ipsec transform-set dessha esp-des esp-sha-hmac mode tunnel ! crypto map HOSTviaDIAL 100 ipsec-ike match address REMOTE_to_CENTRAL set peer 10.254.255.85 set transform-set dessha set security-association lifetime seconds 600 set pfs group2 ! interface eth 0/1 ip address access-policy LOCALLAN no shutdown ! ! interface t1 1/1 clock source internal tdm-group 1 timeslots 1-24 speed 64 no shutdown ! interface bri 1/3 description ISDN link to local PSTN isdn spid1 11111 isdn spid2 11112 no shutdown ! interface fr 1 point-to-point description Interface to FR Service Provider - PRIMARY frame-relay lmi-type ansi no shutdown cross-connect 1 t1 1/1 1 frame-relay 1 ! interface fr 1.1 point-to-point description VC to CENTRAL frame-relay interface-dlci 100

+ 8 hidden pages