Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
Презентация была опубликована 9 лет назад пользователемАльбина Свирина
1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 12 Failover
2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the difference between failover and stateful failover. Explain the failover hardware requirements. Describe how failover works. Identify the failover interface tests. Define failover, LAN-based failover, and stateful failover. Configure failover with a failover cable. Configure LAN-based stateful failover.
4 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Understanding Failover
5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Secondary: Standby PIX Firewall Primary: Active PIX Firewall Failover Failover protects the network should the primary PIX Firewall go offline. Stateful failover maintains operating state during failover. Internet Primary: Standby PIX Firewall Internet Secondary: Active PIX Firewall
6 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Failover Requirements The primary and secondary units must be identical in the following requirements: Same model number Identical software versions Same activation keys (DES or 3DES) Same amount of Flash memory and RAM Proper licensing Secondary PIX Firewall Primary PIX Firewall Internet
7 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Failover and Stateful Failover Failover –Connections are dropped. –Client applications must reconnect. –Provides redundancy. –Provided by cable-based failover. Stateful failover –TCP connections remain active. –No client applications need to reconnect. –Provides redundancy and stateful connection. –Provided by LAN-based failover.
8 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cable-based failover Types of Failover Cabling Secondary PIX Firewall Primary PIX Firewall /24.1e /24 e1.11 Internet Serial cable or LAN-based e2 LAN-based failover e3 Stateful failover
9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA IP Addresses for Failover Primary: Active PIX Firewall Internet Primary: Standby PIX Firewall Internet Secondary: Active PIX Firewall Secondary: Standby PIX Firewall Failover
10 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Failover Interface Test Link Up/Down testTesting the NIC itself Network Activity testTesting received network activity ARP testReading the PIX Firewalls ARP cache for the ten most recently acquired entries Broadcast Ping testSending out a broadcast ping request
11 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Serial Cable-Based Failover Configuration
12 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Overview of Configuring Failover with a Failover Serial Cable Complete the following tasks to configure failover with a failover serial cable: Attach the PIX Firewall network interface cables. Connect the failover cable between the primary and secondary firewalls. Configure the primary firewall for failover and save the configuration to Flash memory. Power on the secondary firewall.
13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Cable the Secondary PIX Firewall Primary PIX Firewall Internet e0 Secondary PIX Firewall e1 e0 e1
14 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Connecting the Failover Cable Primary PIX Firewall Secondary PIX Firewall Primary labeled connector Secondary labeled connector
15 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 3Configuring the Primary PIX Firewall Primary PIX1 Internet.2 Secondary PIX Firewall pix1(config)# failover pix1(config)# failover ip address outside pix1(config)# failover ip address inside pix1(config)# failover poll 10 Failover cable Enable failover between the active and standby PIX Firewalls. Create an IP address for the standby PIX Firewall. Specify how long failover waits before sending special failover hello packets between the primary and secondary firewalls (optional).
16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA show failover CommandSecondary PIX Powered Off pix1# show failover Failover On Cable status: My side not connected Reconnect timeout 0:00:00 Poll frequency 10 seconds This host: Primary - Active Active time: 360 (sec) Interface intf4 ( ): Shut Down Interface intf3 ( ): Shut Down Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface intf4 ( ): Unknown (Shutdown) Interface intf3 ( ): Unknown (Shutdown) Interface outside ( ): Unknown (Waiting) Interface inside ( ): Unknown (Waiting) Stateful Failover Logical Update Statistics Link : Unconfigured
17 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuration Replication Configuration replication occurs: When the standby firewall completes its initial bootup. As commands are entered on the active firewall. By entering the write standby command. Primary PIX Firewall Internet Secondary PIX Firewall Replication
18 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 4Powering on the Secondary Firewall Replication of primary PIX Firewall to secondary PIX Firewall Primary PIX1 Internet.2 Secondary PIX Firewall Replication
19 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA show failover Command pix1# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 10 seconds This host: Primary - Active Active time: 1920 (sec) Interface intf4 ( ): Shut Down Interface intf3 ( ): Shut Down Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 25 (sec) Interface intf4 ( ): Unknown (Shutdown) Interface intf3 ( ): Unknown (Shutdown) Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : Unconfigured
20 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Force Control Back Primary: Standby Active PIX1 Internet Secondary: Active Standby PIX pix1(config)# failover active Force control of the connection back to the unit you are accessing. failover [active] pixfirewall(config)#
21 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Configuration
22 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Overview LAN-based failover: Provides long-distance failover functionality Uses an Ethernet cable rather than the serial failover cable Requires a dedicated LAN interface, but the same interface can be used for stateful failover Requires a dedicated switch, hub, or VLAN Uses message encryption and authentication to secure failover transmissions
23 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Configuration Overview Complete the following tasks to configure LAN-based failover: 1. Install a LAN-based failover connection between primary and secondary firewalls. 2. Configure the primary PIX Firewall. 3. Save the primary firewall configuration to Flash memory. 4. Power on the secondary firewall. 5. Configure the secondary PIX Firewall with the minimum failover LAN command set. 6. Save the secondary firewall configuration to Flash memory. 7. Connect the LAN failover interface to the network. 8. Reboot the secondary firewall.
24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cabling LAN Failover Primary PIX Firewall Internet e0 Secondary PIX Firewall e1 e0 e1 e2 LAN Failover
25 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring LAN FailoverPrimary PIX pix1(config)# nameif ethernet2 LANFAIL security55 pix1(config)# interface ethernet2 100full pix1(config)# ip address LANFAIL pix1(config)# failover ip address LANFAIL pix1(config)# failover lan unit primary pix1(config)# failover lan interface LANFAIL pix1(config)# failover lan key pix1(config)# failover lan enable Primary PIX1 Internet.2 Secondary PIX Firewall
26 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Stateful Failover failover link [stateful_if_name] pixfirewall(config)# pix1(config)# failover link LANFAIL Specify the name of the dedicated interface used for stateful failover. Primary PIX1 Internet.2 Secondary PIX Firewall Stateful failover e2
27 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring LAN FailoverSecondary PIX pix2(config)# nameif ethernet2 LANFAIL security55 pix2(config)# interface ethernet2 100full pix2(config)# ip address LANFAIL pix2(config)# failover ip address LANFAIL pix2(config)# failover lan unit secondary pix2(config)# failover lan interface LANFAIL pix2(config)# failover lan key pix2(config)# failover link LANFAIL pix2(config)# failover lan enable Primary PIX1 Internet.2 Secondary PIX
28 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Reload the Secondary Firewall Sync Started Sync Completed pix1# show failover Failover On Cable status: My side not connected Reconnect timeout 0:00:00 Poll frequency 10 seconds This host: Primary - Active Active time: 3160 (sec) Interface intf4 ( ): Link Down Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface intf4 ( ): Link Down Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : LANFAIL
29 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA show failover Command with LAN-Based Failover pix1# show failover Failover On Cable status: Unknown Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: Primary - Standby Active time: 255 (sec) Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Active Active time: (sec) Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : LANFAIL Lan Based Failover is Active interface LANFAIL ( ): Normal, peer( ):Normal
30 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA failover mac address Command failover mac address mif_name act_mac stn_mac pixfirewall(config)# pix1(config)# failover ip address outside pix1(config)# failover ip address inside pix1(config)# failover mac address outside 00a0.c989.e481 00a0.c969.c7f1 pixf1(config)# failover mac address inside 00a0.c976.cde5 00a0.c Enables you to configure a virtual MAC address for a PIX Firewall failover pair. Primary PIX1 Internet Inside MAC address Act - 00a0.c976.cde5 Stby - 00a0.c Outside MAC address Act - 00a0.c989.e481 Stby - 00a0.c969.c7f1
31 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary
32 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary The primary and secondary PIX Firewalls are the two firewalls used for failover. The primary PIX Firewall is usually active, while the secondary PIX Firewall is usually standby, but during failover the primary PIX Firewall goes on standby while the secondary becomes active. The configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall during configuration replication.
33 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary (Cont.) During failover, connections are dropped; during stateful failover, connections remain active. There are four interface tests to ensure that the PIX Firewalls are running: –Link Up/Down test –Network Activity test –ARP test –Broadcast Ping test LAN-based failover enables you to use Ethernet cabling with a dedicated hub, switch, or VLAN for long-distance failover.
34 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
35 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA P.0 Lab Visual Objective Primary PIX Firewall Secondary PIX Firewall 10.0.P.0 RTS RBB Web FTP Web/FTP CSACS Student PC Local: 10.0.P P P
Еще похожие презентации в нашем архиве:
© 2024 MyShared Inc.
All rights reserved.