Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Contivity Continues To Shine

Version 4.8 of the software brings more redundancy to the system via a backup interface. It also adds NAT (Network Address Translation) for protected client IP addresses. The software includes an additional integration feature: Circuitless IP (CLIP). Used primarily for load balancing, CLIP assigns a single IP to one or more Contivity interfaces.

Nortel has increased client protection in this version with Firewall User Authentication (FWUA), which forces users on the protected side of a Contivity device to authenticate prior to accessing the VPN. Additional client protection comes from Tunnel Guard, which dynamically ensures that required applications, such as Web virus scanners or firewalls, are running prior to admission to the VPN.

Contivity 5000

click to enlarge

Redundant Redundancy

Since version 4.0 of the software, the Contivity has supported network failover using VRRP (Virtual Routing Redundancy Protocol) and OSPF. Although these protocols are useful, not all environments need the VPN to participate in OSPF, and VRRP is really for interface failover. In most situations, BIS (Backup Interface Services), which is included in the software I tested, can fail over network paths and VPNs regardless of network installation.

BIS should detect failed tunnels via route advertisements, pings and interface status (see "Backup Interface Services" diagram). You can define any IP address ping against the next hop router or any device in the path. I tested this by pinging a peer Contivity 600: My primary path went out the interface. I configured a downstate indicated as three pings with a five-second time-out between each ping attempt. I then disconnected the interface cable between the Contivity 600 and the switch. After the allotted 15 seconds, the Contivity 5000 initiated a new IPsec session to the alternate Contivity 600 interface. Once I reconnected the cable between the switch and the Contivity 600, the Contivity 5000 switched back to the primary interface. Of course, if your primary network path is going up and down, the BIS will be flapping back and forth as well. To minimize the flapping, you will need to adjust the timing parameters to smooth things out.

  • 1