© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.212-1 Lesson 12 Failover.

Презентация:



Advertisements
Похожие презентации
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 13 Failover.
Advertisements

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 7 Configure the Cisco VPN Firewall Feature for IPSec Software Client.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 17 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 11 Configure the Cisco Virtual Private Network 3002 Hardware Client for Unit and.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 13 Configure the Cisco Virtual Private Network 3002 Hardware Client for Software.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 12 Configure the Cisco Virtual Private Network Client Backup Server, and Load Balancing.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 15 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 10 Configure the Cisco VPN 3002 Hardware Client for Remote Access Using Pre-Shared.
© 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces.
Option_W_3
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Starting a Switch.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 3 Cisco PIX Firewall Technology and Features.
© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Completing ISDN Calls Configuring ISDN BRI and PRI.
Транксрипт:

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 12 Failover

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the difference between failover and stateful failover. Explain the failover hardware requirements. Describe how failover works. Identify the failover interface tests. Define failover, LAN-based failover, and stateful failover. Configure failover with a failover cable. Configure LAN-based stateful failover.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Understanding Failover

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Secondary: Standby PIX Firewall Primary: Active PIX Firewall Failover Failover protects the network should the primary PIX Firewall go offline. Stateful failover maintains operating state during failover. Internet Primary: Standby PIX Firewall Internet Secondary: Active PIX Firewall

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Failover Requirements The primary and secondary units must be identical in the following requirements: Same model number Identical software versions Same activation keys (DES or 3DES) Same amount of Flash memory and RAM Proper licensing Secondary PIX Firewall Primary PIX Firewall Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Failover and Stateful Failover Failover –Connections are dropped. –Client applications must reconnect. –Provides redundancy. –Provided by cable-based failover. Stateful failover –TCP connections remain active. –No client applications need to reconnect. –Provides redundancy and stateful connection. –Provided by LAN-based failover.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cable-based failover Types of Failover Cabling Secondary PIX Firewall Primary PIX Firewall /24.1e /24 e1.11 Internet Serial cable or LAN-based e2 LAN-based failover e3 Stateful failover

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA IP Addresses for Failover Primary: Active PIX Firewall Internet Primary: Standby PIX Firewall Internet Secondary: Active PIX Firewall Secondary: Standby PIX Firewall Failover

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Failover Interface Test Link Up/Down testTesting the NIC itself Network Activity testTesting received network activity ARP testReading the PIX Firewalls ARP cache for the ten most recently acquired entries Broadcast Ping testSending out a broadcast ping request

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Serial Cable-Based Failover Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Overview of Configuring Failover with a Failover Serial Cable Complete the following tasks to configure failover with a failover serial cable: Attach the PIX Firewall network interface cables. Connect the failover cable between the primary and secondary firewalls. Configure the primary firewall for failover and save the configuration to Flash memory. Power on the secondary firewall.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Cable the Secondary PIX Firewall Primary PIX Firewall Internet e0 Secondary PIX Firewall e1 e0 e1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Connecting the Failover Cable Primary PIX Firewall Secondary PIX Firewall Primary labeled connector Secondary labeled connector

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 3Configuring the Primary PIX Firewall Primary PIX1 Internet.2 Secondary PIX Firewall pix1(config)# failover pix1(config)# failover ip address outside pix1(config)# failover ip address inside pix1(config)# failover poll 10 Failover cable Enable failover between the active and standby PIX Firewalls. Create an IP address for the standby PIX Firewall. Specify how long failover waits before sending special failover hello packets between the primary and secondary firewalls (optional).

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show failover CommandSecondary PIX Powered Off pix1# show failover Failover On Cable status: My side not connected Reconnect timeout 0:00:00 Poll frequency 10 seconds This host: Primary - Active Active time: 360 (sec) Interface intf4 ( ): Shut Down Interface intf3 ( ): Shut Down Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface intf4 ( ): Unknown (Shutdown) Interface intf3 ( ): Unknown (Shutdown) Interface outside ( ): Unknown (Waiting) Interface inside ( ): Unknown (Waiting) Stateful Failover Logical Update Statistics Link : Unconfigured

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuration Replication Configuration replication occurs: When the standby firewall completes its initial bootup. As commands are entered on the active firewall. By entering the write standby command. Primary PIX Firewall Internet Secondary PIX Firewall Replication

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 4Powering on the Secondary Firewall Replication of primary PIX Firewall to secondary PIX Firewall Primary PIX1 Internet.2 Secondary PIX Firewall Replication

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show failover Command pix1# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 10 seconds This host: Primary - Active Active time: 1920 (sec) Interface intf4 ( ): Shut Down Interface intf3 ( ): Shut Down Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 25 (sec) Interface intf4 ( ): Unknown (Shutdown) Interface intf3 ( ): Unknown (Shutdown) Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : Unconfigured

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Force Control Back Primary: Standby Active PIX1 Internet Secondary: Active Standby PIX pix1(config)# failover active Force control of the connection back to the unit you are accessing. failover [active] pixfirewall(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Overview LAN-based failover: Provides long-distance failover functionality Uses an Ethernet cable rather than the serial failover cable Requires a dedicated LAN interface, but the same interface can be used for stateful failover Requires a dedicated switch, hub, or VLAN Uses message encryption and authentication to secure failover transmissions

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Configuration Overview Complete the following tasks to configure LAN-based failover: 1. Install a LAN-based failover connection between primary and secondary firewalls. 2. Configure the primary PIX Firewall. 3. Save the primary firewall configuration to Flash memory. 4. Power on the secondary firewall. 5. Configure the secondary PIX Firewall with the minimum failover LAN command set. 6. Save the secondary firewall configuration to Flash memory. 7. Connect the LAN failover interface to the network. 8. Reboot the secondary firewall.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cabling LAN Failover Primary PIX Firewall Internet e0 Secondary PIX Firewall e1 e0 e1 e2 LAN Failover

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring LAN FailoverPrimary PIX pix1(config)# nameif ethernet2 LANFAIL security55 pix1(config)# interface ethernet2 100full pix1(config)# ip address LANFAIL pix1(config)# failover ip address LANFAIL pix1(config)# failover lan unit primary pix1(config)# failover lan interface LANFAIL pix1(config)# failover lan key pix1(config)# failover lan enable Primary PIX1 Internet.2 Secondary PIX Firewall

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Stateful Failover failover link [stateful_if_name] pixfirewall(config)# pix1(config)# failover link LANFAIL Specify the name of the dedicated interface used for stateful failover. Primary PIX1 Internet.2 Secondary PIX Firewall Stateful failover e2

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring LAN FailoverSecondary PIX pix2(config)# nameif ethernet2 LANFAIL security55 pix2(config)# interface ethernet2 100full pix2(config)# ip address LANFAIL pix2(config)# failover ip address LANFAIL pix2(config)# failover lan unit secondary pix2(config)# failover lan interface LANFAIL pix2(config)# failover lan key pix2(config)# failover link LANFAIL pix2(config)# failover lan enable Primary PIX1 Internet.2 Secondary PIX

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Reload the Secondary Firewall Sync Started Sync Completed pix1# show failover Failover On Cable status: My side not connected Reconnect timeout 0:00:00 Poll frequency 10 seconds This host: Primary - Active Active time: 3160 (sec) Interface intf4 ( ): Link Down Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface intf4 ( ): Link Down Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : LANFAIL

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show failover Command with LAN-Based Failover pix1# show failover Failover On Cable status: Unknown Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: Primary - Standby Active time: 255 (sec) Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Active Active time: (sec) Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : LANFAIL Lan Based Failover is Active interface LANFAIL ( ): Normal, peer( ):Normal

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA failover mac address Command failover mac address mif_name act_mac stn_mac pixfirewall(config)# pix1(config)# failover ip address outside pix1(config)# failover ip address inside pix1(config)# failover mac address outside 00a0.c989.e481 00a0.c969.c7f1 pixf1(config)# failover mac address inside 00a0.c976.cde5 00a0.c Enables you to configure a virtual MAC address for a PIX Firewall failover pair. Primary PIX1 Internet Inside MAC address Act - 00a0.c976.cde5 Stby - 00a0.c Outside MAC address Act - 00a0.c989.e481 Stby - 00a0.c969.c7f1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary The primary and secondary PIX Firewalls are the two firewalls used for failover. The primary PIX Firewall is usually active, while the secondary PIX Firewall is usually standby, but during failover the primary PIX Firewall goes on standby while the secondary becomes active. The configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall during configuration replication.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary (Cont.) During failover, connections are dropped; during stateful failover, connections remain active. There are four interface tests to ensure that the PIX Firewalls are running: –Link Up/Down test –Network Activity test –ARP test –Broadcast Ping test LAN-based failover enables you to use Ethernet cabling with a dedicated hub, switch, or VLAN for long-distance failover.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA P.0 Lab Visual Objective Primary PIX Firewall Secondary PIX Firewall 10.0.P.0 RTS RBB Web FTP Web/FTP CSACS Student PC Local: 10.0.P P P