Configuring Acme Packet 1100 FIPS High Availability
FIPS dictates that critical traffic must be encrypted, not currently supported on this platform. The Acme Packet 1100 has only three physical interfaces typically designated as management (SSH, SFTP, etc.), INT, and EXT (both used for media traffic).
In a standard Acme Packet 1100 HA implementation, you configure the "Control" (HA) port to coexist on the management physical port using a different VLAN tag (sub-port-id) and addressing scheme. This method, however, does not meet FIPS standards.
To configure FIPS-compliant HA on the Acme Packet 1100, you must configure the EXT physical port (slot 0 port 1) of both SBCs to be used as dedicated HA Control ports in a point-to-point connection with no hubs, switches, or routers between them. When used for HA, this interface is called wancom1. This leaves the second media port, INT, as the only usable media interface, on which you must configure multiple ports (using different VLAN tags) for all media functionality. See the following diagram:
FIPS_1100_Primary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 1
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.1] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_1100_Primary] :
IP address on management interface [10.196.145.73] :
Subnet mask [255.255.224.0] :
Gateway IP address [10.196.128.1] :
PEER CONFIGURATION
Peer IP address [169.254.1.2] :
Peer target name [sbc02] : FIPS_1100_Secondary
OC SDM ACCESS SETTINGS
Configure SBC to allow OC Session Delivery Manager to access it
OC SDM access (yes/no) [yes] : no
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : N/A
WEB GUI MODE
2 : Web GUI Mode : N/A
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : primary
5 : Redundancy interface address : 169.254.1.1
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_1100_Primary
9 : IP address on management interface : 10.196.145.73
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : N/A
12: Gateway IP address : 10.196.128.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : N/A
PEER CONFIGURATION
14: Peer IP address : 169.254.1.2
15: Peer target name : FIPS_1100_Secondary
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : no
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
FIPS_1100_Secondary# run setup
-----------------------------------------------------------
Thank you for purchasing the Acme Packet SBC. The following
short wizard will guide you through the initial set-up.
A reboot will be required to save changes.
-----------------------------------------------------------
'-' = Previous; '?' = Help; '.' = Clear; 'q' = Exit
HIGH AVAILABILITY
This SBC may be a standalone or part of a highly available redundant pair.
SBC mode
1 - standalone
2 - high availability
Enter choice [1 - standalone] : 2
If this SBC is the primary, enter the configuration.
If it is secondary, you can import settings from the primary
SBC role
1 - primary
2 - secondary
Enter choice [1 - primary] : 2
Specify the IP address to set on interface connected for redundancy
Redundancy interface address [169.254.1.2] :
Redundancy subnet mask [255.255.255.252] :
SBC SETTINGS
Unique target name of this SBC [FIPS_1100_Secondary] :
IP address on management interface [10.196.145.74] :
Subnet mask [255.255.224.0] :
Gateway IP address [10.196.128.1] :
PEER CONFIGURATION
Peer IP address [169.254.1.1] :
Peer target name [sbc01] : FIPS_1100_Primary
OC SDM ACCESS SETTINGS
Configure SBC to allow OC Session Delivery Manager to access it
OC SDM access (yes/no) [yes] : no
-- Summary view ---------------------------------------------------------------
GUI ACCESS
1: Enable Web GUI (yes/no) : N/A
WEB GUI MODE
2 : Web GUI Mode : N/A
HIGH AVAILABILITY
3 : SBC mode : high availability
4 : SBC role : secondary
5 : Redundancy interface address : 169.254.1.2
6 : Redundancy subnet mask : 255.255.255.252
7 : Redundancy interface VLAN : N/A
SBC SETTINGS
8 : Unique target name of this SBC : FIPS_1100_Secondary
9 : IP address on management interface : 10.196.145.74
10: Subnet mask : 255.255.224.0
11: Management interface VLAN : N/A
12: Gateway IP address : 10.196.128.1
AUTOMATIC CONFIGURATION
13: Acquire config from the Primary (yes/no) : N/A
PEER CONFIGURATION
14: Peer IP address : 169.254.1.1
15: Peer target name : FIPS_1100_Primary
OC SDM ACCESS SETTINGS
16: OC SDM access (yes/no) : no
17: SNMP community string : N/A
18: OC SDM IP address : N/A
Enter 1 - 18 to modify, 'd' to display summary, 's' to save, 'q' to exit. [s]:
For more information on configuring HA on the Acme Packet 1100, see the Acme Packet 1100 Hardware Installation and Maintenance Guide and Session Border Controller ACLI Configuration Guide.