ZyXEL Communications ZYWALL 70 - V4.04 Guia do Utilizador descarregar pdf (Página 104)

on forceUpdate, then the ZyWALL gets gratuitous ARP, it will force to update MAC

mapping into the ARP table, otherwise if turn off forceUpdate, then the ZyWALL gets

gratuitous ARP, it will update MAC mapping into the ARP table only when there is no

such MAC mapping in the ARP table.

Give an example for its purpose, there is a backup gateway on the network as the

picture. One day, the gateway shuts down and the backup gateway is up, the backup

gateway is set a static IP as original gateway's IP, it will broadcast a gratuitous ARP to ask

who is using this IP. If ackGratuitous is on, the ZyWALL receive the gratuitous ARP from

the backup gateway, it will also send an ARP request to ask who is using this IP. Once the

ZyWALL gets a reply from backup gateway, it will update its ARP table so that the

ZyWALL can keep a correct gateway ARP entry to forward packets. If ackGratuitous is

off, the ZyWALL will not keep a correct gateway ARP entry to forward packets.

There is one thing need to be noticed: update the ARP entry might still have dangers

more or less if there is a spoofing attack. So we suggest if you have no opportunity to

meet the problem, you can turn off ackGratuitous. forceUpdate on will be more

dangerous than forceUpdate off because it update ARP table even when ARP entry is

existing.

Appendix 13 The mechanism when the ZyWALL receives a IKE packets with IC

[RFC 2407]The INITIAL-CONTACT(IC) status message may be used when one side

wishes to inform the other that this is the first SA being established with the remote

system. The receiver of this Notification Message might then elect to delete any existing

SA's it has for the sending system under the assumption that the sending system has

rebooted and no longer has access to the original SA's and their associated

keying material.

The ZyWALL has two ways to delete SA when it receives IC, it is switched by a global

option 'ipsec initContactMode gateway/tunnel':

(1)ipsec initContactMode gateway

When the ZyWALL receives a IKE packets with IC, it deletes all tunnels with the

same secure gateway IP. It is default option because the ZyWALL is site to site VPN

device. Take the picture 1 as example, there are three VPN tunnels are created between

ZWA and ZWB, but ZWA reboots for some reasons, and after rebooting, the ZWA will

send a IKE with IC to the ZWB, then the ZWB will delete all existing tunnels whose

security gateway IP is the same as this IKE's one and build a new VPN tunnel for the

sender.

1 2 ... 99 100 101 102 103 104 105 106 107 108 109 110 111 112

Sem comentários

ZyXEL Communications ZYWALL 70 - V4.04 Guia do Utilizador Página 104