The routing table consequently contains the following default route:
Interface
Destination
Gateway
Metric
Monitoring
wan
all-nets
195.66.77.1
10
Off
Now a secondary route is added over a backup DSL connection and Route Monitoring is enabled for
this. The updated routing table will look like this:
Route #
Interface
Destination
Gateway
Metric
Monitoring
1
wan
all-nets
195.66.77.1
10
On
2
dsl
all-nets
193.54.68.1
20
Off
Notice that Route Monitoring is enabled for the first route but not the backup, failover route.
As long as the preferred wan route is healthy, everything will work as expected. Route Monitoring
will also be functioning, so the secondary route will be enabled if the wan route should fail.
There are, however, some problems with this setup: if a route failover occurs, the default route will
then use the dsl interface. When a new HTTP connection is then established from the intnet
network, a route lookup will be made resulting in a destination interface of dsl. The IP rules will
then be evaluated, but the original NAT rule assumes the destination interface to be wan so the new
connection will be dropped by the rule set.
In addition, any existing connections matching the NAT rule will also be dropped as a result of the
change in the destination interface. Clearly, this is undesirable.
To overcome this issue, potential destination interfaces should be grouped together into an Interface
Group and the Security/Transport Equivalent flag should be enabled for the Group. The Interface
Group is then used as the Destination Interface when setting policies. For more information on
groups, see Section 3.3.6, “Interface Groups”.
Gratuitous ARP Generation
By default NetDefendOS generates a gratuitous ARP request when a route failover occurs. The
reason for this is to notify surrounding systems that there has been a route change. This behavior can
be controlled by the advanced setting Gratuitous ARP on Fail.
4.2.4. Host Monitoring for Route Failover
Overview
To provide a more flexible and configurable way to monitor the integrity of routes, NetDefendOS
provides the additional capability to perform Host Monitoring. This feature means that one or more
external host systems can be routinely polled to check that a particular route is available.
The advantages of Host Monitoring are twofold:
•
In a complex network topology it is more reliable to check accessibility to external hosts. Just
monitoring a link to a local switch may not indicate a problem in another part of the internal
network.
•
Host monitoring can be used to help in setting the acceptable Quality of Service level of Internet
response times. Internet access may be functioning but it may be desirable to instigate route
failover if response latency times become unacceptable using the existing route.
Enabling Host Monitoring
4.2.4. Host Monitoring for Route
Failover
Chapter 4. Routing
159
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...