Profile Security Configuration And Deployment Considerations; Virtual Router Redundancy Protocol (Vrrp) Configuration - Motorola WiNG 5 System Reference Manual

5.3.6.6 Profile Security Configuration and Deployment Considerations


Profile Security Configuration
Before defining a profile's security configuration, refer to the following deployment guidelines to ensure the profile
configuration is optimally effective:
• Ensure the contents of the Certificate Revocation List are periodically audited to ensure revoked certificates
remained quarantined or validated certificates are reinstated.
• NAT alone does not provide a firewall. If deploying NAT on a profile, add a firewall on the profile to block
undesirable traffic from being routed. For outbound Internet access, a stateful firewall can be configured to deny
all traffic. If port address translation is required, a stateful firewall should be configured to only permit the TCP or
UDP ports being translated.

5.3.7 Virtual Router Redundancy Protocol (VRRP) Configuration

A default gateway is a critical resource for connectivity. However, it's prone to a single point of failure. Thus, redundancy
for the default gateway is required by the access point. If WAN backhaul is available on an AP-7131, and a router failure
occurs, then the access point should act as a router and forward traffic on to its WAN link.
Define an external Virtual Router Redundancy Protocol (VRRP) configuration when router redundancy is required in a
wireless network requiring high availability.
Central to the configuration of VRRP is the election of a VRRP master. A VRRP master (once elected) performs the following
functions:
• Responds to ARP requests
• Forwards packets with a destination link layer MAC address equal to the virtual router MAC address
• Rejects packets addressed to the IP address associated with the virtual router, if it is not the IP address owner
• Accepts packets addressed to the IP address associated with the virtual router, if it is the IP address owner or accept
mode is true.
Those nodes that lose the election process enter a backup state. In the backup state they monitor the master for any
failures, and in case of a failure one of the backups, in turn, becomes the master and assumes the management of the
designated virtual IPs. A backup does not respond to an ARP request, and discards packets destined for a virtual IP
resource.
NOTE: VRRP support is only available on AP-7131 model access points, and is not
available on AP-7161, AP-6532, AP-6521 and AP-6511 models.
To define the configuration of a VVRP group:
1. Select the Configuration
2. Select Devices.
3. Select System Profile
4. Select VVRP.
tab from the Web UI.
from the options on left-hand side of the UI.
Device Configuration 5 - 127