3 Configuring FIPS High Availability
You can configure the supported Acme Packet platforms for
High Availability (HA) to conform to the Federal Information Processing
Standards (FIPS).
Note:
This chapter highlights the run setup command which is not available on all products.Configuring Acme Packet 1100 FIPS High Availability
FIPS dictates that critical traffic must be encrypted, not currently supported on this platform. The Acme Packet 1100 has only three physical interfaces typically designated as management (SSH, SFTP, etc.), INT, and EXT (both used for media traffic).
In a standard Acme Packet 1100 HA implementation, you configure the "Control" (HA) port to coexist on the management physical port using a different VLAN tag (sub-port-id) and addressing scheme. This method, however, does not meet FIPS standards.
To configure FIPS-compliant HA on the Acme Packet 1100, you must configure the EXT physical port (slot 0 port 1) of both SBCs to be used as dedicated HA Control ports in a point-to-point connection with no hubs, switches, or routers between them. When used for HA, this interface is called wancom1. This leaves the second media port, INT, as the only usable media interface, on which you must configure multiple ports (using different VLAN tags) for all media functionality. See the following diagram:
The following is an example setup console log for a FIPS Acme Packet
1100 primary
E-SBC.
FIPS_1100_Primary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 1
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.1] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_1100_Primary] :
IP address on management interface [10.196.145.73] :
Subnet mask [255.255.224.0] :
Gateway IP address [10.196.128.1] :
PEER CONFIGURATION
Peer IP address [169.254.1.2] :
Peer target name [sbc02] : FIPS_1100_Secondary
OC SDM ACCESS SETTINGS
Configure SBC to allow OC Session Delivery Manager to access it
OC SDM access (yes/no) [yes] : no
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : N/A
WEB GUI MODE
2 : Web GUI Mode : N/A
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : primary
5 : Redundancy interface address : 169.254.1.1
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_1100_Primary
9 : IP address on management interface : 10.196.145.73
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : N/A
12: Gateway IP address : 10.196.128.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : N/A
PEER CONFIGURATION
14: Peer IP address : 169.254.1.2
15: Peer target name : FIPS_1100_Secondary
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : no
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
FIPS_1100_Secondary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 2
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.2] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_1100_Secondary] :
IP address on management interface [10.196.145.74] :
Subnet mask [255.255.224.0] :
Gateway IP address [10.196.128.1] :
PEER CONFIGURATION
Peer IP address [169.254.1.1] :
Peer target name [sbc01] : FIPS_1100_Primary
OC SDM ACCESS SETTINGS
Configure SBC to allow OC Session Delivery Manager to access it
OC SDM access (yes/no) [yes] : no
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : N/A
WEB GUI MODE
2 : Web GUI Mode : N/A
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : secondary
5 : Redundancy interface address : 169.254.1.2
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_1100_Secondary
9 : IP address on management interface : 10.196.145.74
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : N/A
12: Gateway IP address : 10.196.128.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : N/A
PEER CONFIGURATION
14: Peer IP address : 169.254.1.1
15: Peer target name : FIPS_1100_Primary
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : no
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
For more information on configuring HA on the Acme Packet 1100, see the Acme Packet 1100 Hardware Installation and Maintenance Guide and Session Border Controller ACLI Configuration Guide.
Configuring Acme Packet 3900/4600/6300/6350 FIPS HA
FIPS dictates that critical traffic must be encrypted, not currently supported on this platform. Therefore, on each of the Acme Packet supported platforms in the HA pair, there is a dedicated "Control" port used only to send HA sync traffic between the SBCs. This port is labeled "MGMT1".
Plug the "Control" port of one SBC directly into the "Control" port of the second SBC using a single point-to-point cable, with no hubs, switches, or routers between them. See the following diagram:
The following is an example setup console log for a FIPS
Acme Packet platform primary
E-SBC.
FIPS_VM_Primary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
GUI ACCESS
If you want to allow GUI to access this SBC, enable this setting
Enable Web GUI (yes/no) [yes] : yes
WEB GUI MODE
Choose which mode to enable for the web GUI
Web GUI Mode
1 - basic
2 - expert
Enter choice [1 - basic] : 2
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 1
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.1] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_VM_Primary] :
IP address on management interface [10.196.33.48] :
Subnet mask [255.255.224.0] :
Management interface VLAN (0 - 4095) [0] :
Gateway IP address [10.196.32.1] :
PEER CONFIGURATION
Peer IP address [169.254.1.2] :
Peer target name [sbc02] : FIPS_VM_Secondary
OC SDM ACCESS SETTINGS
Configure SBC to allow OC Session Delivery Manager to access it
OC SDM access (yes/no) [yes] : no
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : yes
WEB GUI MODE
2 : Web GUI Mode : expert
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : primary
5 : Redundancy interface address : 169.254.1.1
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_VM_Primary
9 : IP address on management interface : 10.196.33.48
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : 0
12: Gateway IP address : 10.196.32.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : N/A
PEER CONFIGURATION
14: Peer IP address : 169.254.1.2
15: Peer target name : FIPS_VM_Secondary
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : no
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
FIPS_VM_Secondary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
GUI ACCESS
If you want to allow GUI to access this SBC, enable this setting
Enable Web GUI (yes/no) [yes] : yes
WEB GUI MODE
Choose which mode to enable for the web GUI
Web GUI Mode
1 - basic
2 - expert
Enter choice [1 - basic] : 2
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 2
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.2] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_VM_Secondary] :
IP address on management interface [10.196.33.40] :
Subnet mask [255.255.224.0] :
Management interface VLAN (0 - 4095) [0] :
Gateway IP address [10.196.32.1] :
AUTOMATIC CONFIGURATION
Acquire config from the Primary (yes/no) [yes] : yes
PEER CONFIGURATION
Peer IP address [169.254.1.1] :
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : yes
WEB GUI MODE
2 : Web GUI Mode : expert
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : secondary
5 : Redundancy interface address : 169.254.1.2
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_VM_Secondary
9 : IP address on management interface : 10.196.33.40
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : 0
12: Gateway IP address : 10.196.32.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : yes
PEER CONFIGURATION
14: Peer IP address : 169.254.1.1
15: Peer target name : N/A
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : N/A
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
For more information on configuring HA on the Acme Packet supported platforms, see the appropriate Acme packet Hardware Installation and Maintenance Guide and the Session Border Controller ACLI Configuration Guide.
Configuring VM FIPS HA
In a Virtual Machine (VM) HA configuration, connect the network management interface (wancom0) and media interfaces over virtual network switches via the hypervisor. This is no different for a FIPS-compliant HA implementation. Use a RJ45 Ethernet cable to connect wancom1 of the Primary node to wancom1 of the Secondary node.
The following is an example setup console log for a FIPS VME
primary
E-SBC.
FIPS_VM_Primary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
GUI ACCESS
If you want to allow GUI to access this SBC, enable this setting
Enable Web GUI (yes/no) [yes] : yes
WEB GUI MODE
Choose which mode to enable for the web GUI
Web GUI Mode
1 - basic
2 - expert
Enter choice [1 - basic] : 2
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 1
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.1] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_VM_Primary] :
IP address on management interface [10.196.33.48] :
Subnet mask [255.255.224.0] :
Management interface VLAN (0 - 4095) [0] :
Gateway IP address [10.196.32.1] :
PEER CONFIGURATION
Peer IP address [169.254.1.2] :
Peer target name [sbc02] : FIPS_VM_Secondary
OC SDM ACCESS SETTINGS
Configure SBC to allow OC Session Delivery Manager to access it
OC SDM access (yes/no) [yes] : no
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : yes
WEB GUI MODE
2 : Web GUI Mode : expert
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : primary
5 : Redundancy interface address : 169.254.1.1
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_VM_Primary
9 : IP address on management interface : 10.196.33.48
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : 0
12: Gateway IP address : 10.196.32.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : N/A
PEER CONFIGURATION
14: Peer IP address : 169.254.1.2
15: Peer target name : FIPS_VM_Secondary
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : no
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
FIPS_VM_Secondary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
GUI ACCESS
If you want to allow GUI to access this SBC, enable this setting
Enable Web GUI (yes/no) [yes] : yes
WEB GUI MODE
Choose which mode to enable for the web GUI
Web GUI Mode
1 - basic
2 - expert
Enter choice [1 - basic] : 2
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 2
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.2] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_VM_Secondary] :
IP address on management interface [10.196.33.40] :
Subnet mask [255.255.224.0] :
Management interface VLAN (0 - 4095) [0] :
Gateway IP address [10.196.32.1] :
AUTOMATIC CONFIGURATION
Acquire config from the Primary (yes/no) [yes] : yes
PEER CONFIGURATION
Peer IP address [169.254.1.1] :
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : yes
WEB GUI MODE
2 : Web GUI Mode : expert
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : secondary
5 : Redundancy interface address : 169.254.1.2
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_VM_Secondary
9 : IP address on management interface : 10.196.33.40
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : 0
12: Gateway IP address : 10.196.32.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : yes
PEER CONFIGURATION
14: Peer IP address : 169.254.1.1
15: Peer target name : N/A
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : N/A
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
The following are examples of FIPS VME primary and secondary deployments where adapter 1 is used for management, adapters 2 and 3 are used as the HA interconnects, 4 is unused, and adapters 5-8 are used as media interfaces.
