Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
+ + !=
• No asymmetric state
1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K 1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K
5 200 5 200
A L S A T R AH M TAS U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
HA Link
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
Backup
• Supports all firewall features/functions
Cons:
• May require redundant interfaces
• No dynamic routing through firewalls
• Requires additional devices (L2 switches) TRUST
routers
• All virtual MAC addresses as
next-hop between routers and Virtual Address VRRP Master
VRRP
Backup
firewall cluster Static Routes
1 1E/ 1 1E/
NSRP Master
C O M P C A OC T N S F O LM A L SO E H T D
X L MR I X N K C O M P C A OC T N S F O LM A L SO E H T D
X L MR I X N K
5 20 0 5 20 0
A L S A T R AH M TAS U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
5 0 0 0 - 8 G 5 0 0 0 - 8 G
Backup
S T A T U S S T A T U S
2 2
P O W E R P O W E R
Virtual Address
Static Routes
1 C O M P CA OC T N SF OLM A L SO E H T D
X 1E/ L M
R I X N K 1 C O M P CA OC T N S F O LM A L SO E H T D
X 1E/ L MR I X N K
5200 5200
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AH M TA S UE S FS LS AI SO H N
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
NSRP Master
A L S A T R AH M TA S U E S FS LS AI SO H N
C O M P CA OC T N SF O LM A L SO E H T D
X
1
1E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T HA Link(s)
52 0 0
1
A L
NSRP
S A T R AHM TAS U E S FS LS AI SO H N
C O M P C A OC T N S F O LM A L SO E H T D
X
1
1E/
0
L M
/
R I X N
1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
Backup
S T A T U S S T A T U S
2 2
P O W E R P O W E R
synchronized?
• Screens (pre-flow
processing counters)
• Application Level Gateways TRUST
P
T
O
5 20 0
A T
W
U S
E R
1
2
A L S A T R AH M TA S U E S FS LS AI SO H N
C O M P CA OC T N S F O LM A L SO E H T D
X
1
1E/
0
L MR I
/
X N
1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
P
T
O
5 200
A T
W
U S
E R
1
2
A L S A T R AH M TA S U E S FS LS AI SO H N
C O M P CA OC T N S F O LM A L SO E H T D
X
1
1 E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
• On failover:
1. Interface up
2. Reestablish OSPF adj. (must wait OSPF
Dead Interval)
3. Database exchange
4. SPF calc
5. Populate routes
• THEN, can begin forwarding traffic
Primary limitations:
• VERY susceptible to asymmetric state issues
• Require more complex config (mixed mode) for NAT support
• Policy-based VPNs also require
• In both cases, traffic must return to a single address which may
be resident on both devices
Cannot use Data-Path Forwarding as a band-aid
• Both nodes are Master: only backup node can perform
data-path forwarding
Must use “Mixed-mode” NSRP to address these issues
• Unset VSD id 0
• Virtual interfaces in VSD id 1 (loopback for VPN, NAT Pool)
A L S A T R AH M TA S U E S FS LS AI SO H N
C O M P CA OC T N SF O LM A L SOE H T D
X 1E/ L MR I X N K
5 0 0 0 - M G T
5 200
1
A L S A T R AH M TA S U E S FS LS AI SO H N
C O M P CA OC T N SF O LM A L SO E H T D
X 1E/ L MR I X N K
5 0 0 0 - M G T
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
1 C O M P C A OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K 1 C O M P CA OC T N SF O LM A L SO E H T DX
1E/ L MR I X N K
5200 5200
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AHM TAS U E S FS LS AI SO H N
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
5 200 5 200
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
• No split link
• Can use aggregated
interfaces between devices
• Use /30 p2p links to skip
dead timer / DR election
on link-up
5 0 0 0 - M G T
1 C O M P CA OC T N S F OL M A L S O E HT D
X
1E/ L MR I X N K
1 C O M P CA OC T N SF O LM A L SO E HT D
X
1E/ L MR I X N K
5 20 0
A L S A T R AHM TA S U E S FS LS AI SO H N
1 0 / 1 0 0
5 2 00
A L S A T R AH M TA S U E S FS LS AI SO H N
1 0 / 1 0 0
5 0 0 0 - 8 G
5 0 0 0 - 8 G
S T A T U S
2
P O W E R
S T A T U S
2
P O W E R
1 C O M P C A OC T N SF O LM A L SO E H T D
X 1 E/ L MR I X N K 1 C O M P CA OC T N S F O LM A L SOE H T D
X 1E/ L MR I X N K
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
52 00 1 0 / 1 0 0 52 00 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
• Downstream (Trust)
• Firewall cluster is first-hop router
for internal network
• Virtual IP/MAC in Trust VSI
• VSI exported to OSPF OSPF
(VSD-less)
Pro: S
P
T
O
5 200
A T
W
U S
E R
1
2
A L S A T R AH M TA S U E S FS LS AI SO H N
C O M P CA OC T N S F O LM A L SO E H T D
X
1
1 E/
0
L MR I
/
X N
1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
HA Link
S
P
T
O
5 200
A T
W
U S
E R
1
2
A L S A T R AH M TAS U E S FS LS AI SO H N
C O M P CA OC T N S F O LM A L SO E HT D
X
1
1E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
Firewalls
• No Asymmetric State
Cons:
• Requires both VSD-less (untrust)
and VSD/VSI (trust) TRUST
(L2)
Pros:
• Allows for DMZ network
connected to OSPF
meshed network
5 0 0 0 - M G T 5 0 0 0 - M G T
1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K 1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K
5 200 5 200
A L S A T R AH M TAS U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
HA Link
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
Cons:
• Must control asymmetric state DMZ
VSI
A T U S
1
2
VSD 1 Master
A
lo0
L S A T R AH M TAS U E S FS LS AI SO H N
C O M P CA OC T N SF O LM A L SO E H T D
X
1
1 E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
HA Link S T
520 0
A T U S
1
2
VSD 1 Backup
A
lo0
L S A T R AH M TAS U E S FS LS AI SO H N
C O M P CA OC T N SF O LM A L SO E H T D
X
1
1 E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
• Unidirectional feedback
DMZ
X
• Add VSI as OSPF VSI
OSPF Passive
passive interface
• Recommend adding NSRP zone
tracking or IP ping tracking to
control NSRP failover TRUST
OSPF Area X
OSPF Trust-Untrust
Transit Path