Wednesday, April 2, 2008

Stateful Failover for IPSec - SSO

Cisco IOS Security Configuration Guide
Stateful Failover for IPSec, IOS 12.4 (Cisco Systems)

Stateful failover for IP Security (IPSec) enables a router to continue processing and forwarding IPSec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for IPSec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and ownership of Internet Key Exchange (IKE) and IPSec security associations (SAs) is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPSec state information so that each router has enough information to become the active router at any time. To configure stateful failover for IPSec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.

Downloads:
Stateful Failover for IPSec (PDF)
Download the complete book:
Cisco IOS Security Configuration Guide, Release 12.4 (PDF - 31 MB)

No comments: