background image

Internet-based WAN Backup Solutions using NetVanta 

 The Internet as an Alternative

61200890L1-29.4A

Copyright © 2005 ADTRAN, Inc. 

3

Solution 1 - Primary = Frame Relay Service Provider, Alternate = ISP via Dial-up 

In this scenario (see Figure 1), a Frame Relay service provider supplies the Frame Relay access line and 
virtual circuit that connects a NetVanta remote site directly to the central site. Since this link is entirely 
over a provider's Frame Relay network, no firewall or VPN is required to protect the customer's network. 
The central site also has a protected Internet connection and an IPSec VPN gateway for Internet-based 
access to the central site network. The remote site has a dial-up resource (analog modem or ISDN) and an 
account at a local ISP. Should the remote's Frame Relay link fail, a dial-up connection is invoked to a local 
ISP. An IPSec VPN connection is established across the Internet to the central site VPN gateway, 
re-establishing connectivity between the two sites. The NetVanta uses its stateful inspection firewall to 
protect the remote network while connected to the ISP. When the Frame Relay connection is 
re-established, the dial backup connection is dropped and the IPSec connection ages out. The dial 
connection to the Internet is used solely as a backup link, and general Internet access is not provided.

Figure 1.  Primary WAN Connectivity via Frame Relay Service Provider, Backup Connectivity via 

IPsec VPN over Dial-up Internet Connection

Remote NetVanta Router Configuration:

!
!
hostname "NV_Remote"
!
ip routing
!
ip firewall
!
ip crypto
!
crypto ike policy 100
  initiate aggressive
  no respond

10.254.255.25/28

10.254.255.85/28

10.254.255.26/28

10.1.1.240/24

172.31.4.0/24

Summary of Contents for NetVanta Internet-Based WAN Backup

Page 1: ...ed WAN Backup Solutions using NetVanta Overview This configuration guide delineates the advantages of using the NetVanta product line and the Internet for wide area network WAN connectivity It include...

Page 2: ...he hub completely bypassing the WAN While this is a well known solution that has been used for many years the cost of dial up server ownership maintenance and long distance toll charges can be quite h...

Page 3: ...cal ISP Should the remote s Frame Relay link fail a dial up connection is invoked to a local ISP An IPSec VPN connection is established across the Internet to the central site VPN gateway re establish...

Page 4: ...NTRAL set peer 10 254 255 85 set transform set dessha set security association lifetime seconds 600 set pfs group2 interface eth 0 1 ip address access policy LOCALLAN no shutdown interface t1 1 1 cloc...

Page 5: ...Dial ppp chap password a no shutdown ip access list extended REMOTE_to_CENTRAL remark permits local lan subnet to central subnet permit ip 10 1 1 240 0 0 0 15 172 31 4 0 0 0 0 255 each interface has i...

Page 6: ...to a local ISP This connection is always on and is used for local Internet access if the corporate security policy allows such connectivity while providing an alternate path to the central site This l...

Page 7: ...set dessha set security association lifetime seconds 600 set pfs group2 interface eth 0 1 description Local Lan Interface ip address 10 1 1 254 255 255 255 240 access policy LOCALLAN no shutdown inte...

Page 8: ...ip 10 1 1 240 0 0 0 15 172 31 4 0 0 0 0 255 each interface has its own policy class to allow for discrete destination policy control if needed ip policy class FR inbound on FR allows any session from...

Page 9: ...nection is negotiated across the Internet to the central site VPN gateway re establishing connectivity between the two sites If the remote router accesses the central VPN gateway on the same IP addres...

Page 10: ...55 85 attribute 10 authentication pre share group 2 lifetime 300 crypto ike remote id fqdn CENTRAL preshared key 1234567890 crypto ipsec transform set dessha esp des esp sha hmac mode tunnel separate...

Page 11: ...authentication chap username ISP_PPPoE_Srv password a ppp chap hostname ISP_Customer_PPPoE ppp chap password a mtu 1492 dial backup number 2222 digital 64k 1 1 ppp 2 no shutdown cross connect 2 eth 0...

Page 12: ...traffic is using nat source to the active interface IP address a destination policy class is included in the previous NAT policies to control which NAT is used Specifying a destination policy class re...

Reviews: