ZyXEL Communications ZYWALL 5 - V4.04 Uživatelská příručka stáhnout pdf (Strana 177)

ZyXEL Confidential

404XD3C0.docx

177/181

ARP, it will update MAC mapping into the ARP table only when there is no such MAC

mapping in the ARP table.

Give an example for its purpose, there is a backup gateway on the network as the

picture. One day, the gateway shuts down and the backup gateway is up, the backup

gateway is set a static IP as original gateway's IP, it will broadcast a gratuitous ARP to ask

who is using this IP. If ackGratuitous is on, the ZyWALL receive the gratuitous ARP from

the backup gateway, it will also send an ARP request to ask who is using this IP. Once the

ZyWALL gets a reply from backup gateway, it will update its ARP table so that the

ZyWALL can keep a correct gateway ARP entry to forward packets. If ackGratuitous is off,

the ZyWALL will not keep a correct gateway ARP entry to forward packets.

There is one thing need to be noticed: update the ARP entry might still have

dangers more or less if there is a spoofing attack. So we suggest if you have no opportunity

to meet the problem, you can turn off ackGratuitous. forceUpdate on will be more

dangerous than forceUpdate off because it update ARP table even when ARP entry is

existing.

Appendix 12 The mechanism when the ZyWALL receives a IKE packets with IC

[RFC 2407]The INITIAL-CONTACT(IC) status message may be used when one side

wishes to inform the other that this is the first SA being established with the remote system.

The receiver of this Notification Message might then elect to delete any existing SA's it has

for the sending system under the assumption that the sending system has rebooted and

no longer has access to the original SA's and their associated keying material.

The ZyWALL has two ways to delete SA when it receives IC, it is switched by a global

option 'ipsec initContactMode gateway/tunnel':

(1)ipsec initContactMode gateway

When the ZyWALL receives a IKE packets with IC, it deletes all tunnels with the same

secure gateway IP. It is default option because the ZyWALL is site to site VPN device.

Take the picture 1 as example, there are three VPN tunnels are created between ZWA and

ZWB, but ZWA reboots for some reasons, and after rebooting, the ZWA will send a IKE

with IC to the ZWB, then the ZWB will delete all existing tunnels whose security gateway

IP is the same as this IKE's one and build a new VPN tunnel for the sender.

1 2 ... 172 173 174 175 176 177 178 179 180 181

Žádné komentáře

ZyXEL Communications ZYWALL 5 - V4.04 Uživatelská příručka Strana 177