Concentrator Backup LANtoLAN

The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN each provide ways of establishing continuity of service if a Concentrator fails, the Backup LAN-to-LAN feature provides certain advantages over VRRP as follows:

■ You can configure Backup LAN-to-LAN and load balancing on the same device, but you cannot configure VRRP and load balancing on the same Concentrator.

■ Redundant Backup LAN-to-LAN peers do not have to be located at the same site. VRRP backup peers cannot be geographically dispersed.

Note The Backup LAN-to-LAN feature does not work in conjunction with VRRP. If you set up a

Backup LAN-to-LAN configuration, disable VRRP.

Private network network

Private network network

Load balancing distributes the connection load across multiple Concentrators. Rather than loading up one Concentrator at a time, load balancing spreads the connection across multiple Concentrators. In this way, individual LAN ports are used less. Each CPU is also less used, so latency and response time improves. It scales to a large number of Concentrators with no additional impact on performance. It also provides a high degree of resiliency to remote users; failure of a Concentrator does not cause a system to collapse.

Load Balancing consists of three parts:

■ Cluster—A group of Concentrators working together as a single entity. The cluster is known by one IP address to the outside client space. This virtual IP address is not tied to a specific physical device in the VPN cluster but is serviced by the cluster virtual master. The virtual IP address is a valid routable address.

Client—The basic strategy allows clients to initiate a connection to a known address, also known as a virtual IP address. The cluster always accepts the connection. During the second message of the IKE exchange, the cluster virtual master sends back to the client a secure, redirect notify message with the address of the least-loaded Concentrator. The client restarts IKE phase 1 with the new specified address, which is the public interface of the least-loaded Concentrator. Load balancing is performed on active sessions at connection time.

Load—The virtual cluster master maintains load information from all other non-masters. Each non-master sends load information in the "Keep Alive" message exchange to the master. The load is calculated as a percentage of current active sessions divided by the configured maximum allowed connections. The administrator can limit the number of connections in a Concentrator.

Note The Concentrator can perform only VRRP or load balancing, not both.

