10 High Availability134 Nokia IP40 Security Platform User’s Guide v1.1Internet connection if any one high priority BGP peer becomes reachable. It drops the dial-up connection when device falls back to primary Internet connection. BGP—This mode is useful if device has LAN/PPPOE/PPTP/DHCP as primary Internetconnection and has no dial-up connection. Primary device of the Dual Device HA scenariois configured to operate in this mode. In this scenario, you have another device acting asbackup. The backup device can have either dial-up or LAN/PPPOE/PPTP/DHCP forInternet connection. primary and backup devices establish internal BGP (IBGP) session witheach other. The fail-over automatically takes place in the primary device based on theavailability of CO routes. (external or internal BGP (EBGP or IBGP)). BGP-external—this mode is useful if the device has LAN/PPPOE/PPTO/DHCP as primaryInternet connection and DMZ as secondary Internet connection. In this mode, DMZ isassumed to be secure and the traffic passing through DMZ will not be encrypted. So, DMZcan be connected to an external VPN device or a router connected to frame relay network. Inthis mode, IP40 uses DMZ as backup to the primary Internet connection. The traffic istunneled as long as BGP peer is reachable over VPN through primary Internet connection.As soon as the BGP peer becomes unreachable, the traffic goes in plain text through DMZinterface. Similar to the other modes, device continues to monitor the status of high priorityBGP peers and falls back to primary Internet connection if atleast one high priority BGPpeer becomes reachable.NoteIn this mode, encrypt flag must be disabled for DMZ.Configuring Criteria for Path SelectionA VPN tunnel established with the given VPN peer is assumed to be disconnected or unavailableif the corresponding BGP peer is unreachable.HA enforces the primary Internet connection as the path for each high priority BGP peer and itsassociated VPN peer by inserting static routes towards primary Internet connection. This ensurescontinuous status monitoring of high priority BGP peers.Use the following command to configure a remote-peer:add bgp remote-peer vpn-peer ip_address>priority | high>[gateway password ]Use the following command to delete a remote peer:delete bgp remote-peer