Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Lesson 16
Internet
Hardware failover
– Connections are dropped.
– Client applications must reconnect.
– Provides hardware redundancy.
– Provided by serial or LAN-based failover link.
Stateful failover
– TCP connections remain active.
– No client applications need to reconnect.
– Provides redundancy and stateful connection.
– Provided by stateful link.
Internet Internet
Contexts
1 2 1 2 Primary: 1 2 1 2
Primary: Secondary: Secondary:
Internet Internet
Contexts
1 2 1 2
Primary: Secondary:
Standby Active
Primary: Secondary:
Failed/Standby Active/Active
Internet
Internet
The primary and secondary security appliances must be identical in the following requirements:
Same model number and hardware configurations
Same software versions* (prior to version 7.0)
Same operating mode
Same features (DES or 3DES)
Same amount of Flash memory and RAM
Proper licensing*
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-6
Failover Interface Test
LAN-Based Cable-Based
Stateful
192.168.1.7 10.0.1.7
Secondary: Standby
Security Appliance
192.168.1.7 10.0.1.7
Internet
Serial
Cable
192.168.1.2 10.0.1.1
Secondary: Active
Security Appliance
Primary
Security Appliance
.2 .1
192.168.1.0 10.0.1.0
Internet
.7 .7
Secondary
Security Appliance
.7 .7
Secondary
Enable failover on the primary security appliance.
Create active and standby IP addresses on the primary security appliance.
(Optionally) Set the failover poll time.
fw1(config)# failover
fw1(config)# interface ethernet0
fw1(config-if)# ip address 192.168.1.2 255.255.255.0 standby
192.168.1.7
fw1(config)# interface ethernet1
fw1(config-if)# ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7
fw1(config)# failover polltime unit msec 500
Internet
Replication
Secondary
Security Appliance
.7 .7
Secondary Power
Security Appliance On
192.168.1.0 10.0.1.0
Internet
firewall(config)#
failover active
Forces control of the connection back to the unit you are accessing
LAN-based failover:
Provides long-distance failover functionality
Uses an Ethernet cable rather than the serial failover cable
Requires a dedicated LAN interface, but the same interface can
be used for stateful failover
Enables you to use a dedicated switch, hub, or VLAN, or a
crossover cable to connect the two security appliances
Uses message encryption and authentication to secure failover
transmissions
Primary
Security Appliance
g0/0 g0/1
g0/2
192.168.1.0 LAN 10.0.1.0
Internet Failover
g0/2
g0/0 g0/1
Secondary
Security Appliance
.1
Internet 192.168.1.0 10.0.1.0
172.17.1.0
.7
.7 .7
asa2
Secondary Security Appliance
g0/2
192.168.1.0 Stateful 10.0.1.0
Internet failover
g0/2
.2 .2
asa2
Secondary
Security Appliance
ciscoasa(config)#
failover link if_name [phy_if]
Specifies the name of the dedicated interface used for stateful failover
.1
192.168.1.0 10.0.1.0
Internet 172.17.1.0
.7
.2 .2
Secondary
asa2
Primary Security
Appliance
asa1
Internet
Secondary Security
Appliance
asa2
192.168.1.0 10.0.1.0
Internet
.2 .2
ciscoasa(config)#
failover mac address mif_name act_mac stn_mac
Enables you to configure a virtual MAC address for a security appliance failover pair
Unit A Unit B
Active/Standby Internet Active/Standby
Active/active failover requires the use of contexts. For example, you could have two security
appliances with two contexts each.
CTX1
CTX2
Under normal conditions, each security appliance has one active and one standby context.
The active context processes traffic.
The standby context is located in the peer security appliance.
Unit A Unit B
Failed/Standby Internet Active/Active
Under failed conditions, Unit A determines that the outside interface on CTX1 has failed.
CTX1 is placed in a failed state.
Unit A has one failed and one standby context.
CTX1 on Unit B becomes active.
Unit B has two active contexts.
Both active contexts pass traffic.
Failover can be context-based or unit-based.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-31
Configure the Failover Link
Failover Link
asa1(config)# interface GigabitEthernet0/2
asa1(config-if)# no shut
asa1(config)# failover lan interface LANFAIL GigabitEthernet0/2
asa1(config)# failover interface ip LANFAIL 172.17.1.1 255.255.255.0 standby
172.17.1.7
asa1(config)# failover link LANFAIL GigabitEthernet0/2
asa1(config)# failover key 1234567
Configures the failover link on the primary security appliance
Group 1
Active/active failover adds support for a failover group. A group is comprised of one or more contexts.
Failover is performed at a unit or group level.
Each failover group contains separate state machines to keep track of the group failover state.
asa1(config)# failover group 1
asa1(config-fover-group)# primary
asa1(config-fover-group)# exit
asa1(config)# failover group 2
asa1(config-fover-group)# secondary
g0/0 g0/3
Activate
Internet
ciscoasa(config)#
failover active [group group_id]
Activates a group or unit
.1 192.168.P.0
.2 .7
.1 .7
10.0.P.0
.100
RTS
10.0.P.11
Student PC
.7 .7 .2 .2
g0/0 g0/3 g0/3 g0/0
A C C A Primary
Secondary
D T g0/2 g0/2 T D Security Appliance
Security Appliance .7 .1
M X X M
g0/1 m0/0 m0/0 g0/1
.7 .7 .1 .1
10.0.30+P.0
.10
10.0.P.0
.10 .100 .100
RTS
Student PC
10.0.P.11