User`s guide
Release Notes Using Network Extension Mode for ANG-1100 Tunnels
Release 3.5 Enhanced Support for VPN Clients
Rel. 3.5 Release Notes Page 15 of 30
provide a path to remotely manage the ANG-1100 over the tunnel). The new
rule automatically secures data to whatever subnet is configured on the
ANG-1100's trusted interface.
! RIP packets sent from the ANG-1100 into the tunnel broadcast reachability to
the ANG-1100's trusted subnet. Routing protocols on the ANG-3000/7000, if
enabled, then relay those routes into the intranet routing fabric.
The combination of the above configuration changes enables NEM on the ANG-1100.
The implementation also provides the following features:
! Parallel tunnels with NEM may be built from the ANG-1100 to multiple
ANG-3000/7000s to provide failover if routing tables exported from central
ANG-3000/7000s are identical (refer to Figure 11). In other words, central
ANGs must have their trusted interfaces connected to the same network. Be
aware that, on average, about 60 seconds pass for tunnel keep-alives and the
routing protocols to detect and reconfigure around a tunnel failure. Refer to
the Application Note: Auto-Link Recovery for configuration information.
Figure 11 Failover on Network Extension Mode Tunnels
! Client mode and NEM tunnels can coexist simultaneously (refer to Figure 12).
For example, one tunnel from the ANG-1100 can use NEM to access an
intranet at one site and to provide access to the local trusted network from
that site. Other tunnels can use Client mode to simultaneously provide access
from the ANG-1100 trusted network to the intranet at other sites. Those other
sites cannot access the trusted network behind the ANG-1100 because NAT is
applied to tunnels configured in Client mode.
Figure 12 Coexisting Client Mode and Network Extension Mode Tunnels
ANG-1100
ANG-7000
ANG-7000
Router
Network Extension Mode tunnel
Primary
Secondary
ANG-1100
ANG-7000
ANG-7000
Router
INTERNET
Client Mode tunnel
Network Extension Mode tunnel