330 likes | 337 Views
Network Security 2. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Lesson 8.2 Configure PIX Security Appliance Failover. Understanding Failover. Hardware and Stateful Failover. Hardware failover
E N D
Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management
Module 8 – PIX Security Appliance Contexts, Failover, and Management Lesson 8.2 Configure PIX Security Appliance Failover
Hardware and Stateful Failover • Hardware failover • Connections are dropped. • Client applications must reconnect. • Provides hardware redundancy. • Provided by serial or LAN-based failover link. • Stateful failover • TCP connections remain active. • No client applications need to reconnect. • Provides redundancy and stateful connection. • Provided by stateful link. Internet
Internet Internet Hardware Failover: Active/Standby Failover: Active/Standby Failover: Active/Standby Hardware failover protects the network should the primary go offline. • Active/Standby: Only one unit can be actively processing traffic while the other is a hot standby Primary: Active Primary: Failed Secondary: Standby Secondary: Active
1 1 1 1 2 2 2 2 Hardware Failover: Active/Active Hardware failover protects the network should the primary go offline. • Active/Active: Both units can process traffic and serve as backup units. Contexts Primary: Primary: Secondary: Secondary: Active/Standby Standby/Active Failed/Standby Active/Active Internet Internet
1 1 2 2 Failover Requirements Failover: Active/Standby • The primary and secondary security appliances must be identical in the following requirements: • Same model number and hardware configurations • Same software versions* (prior to version 7.0) • Same operating mode • Same features (DES or 3DES) • Same amount of Flash memory and RAM • Proper licensing* Contexts Primary:Standby Secondary: Active Secondary: Active/Active Primary: Failed/Standby Internet Internet
Failover Interface Test • Link up/down test: Testing the network interface card itself • Network activity test: Testing received network activity • ARP test: Reading the security appliance ARP cache for the 10 most recently acquired entries • Broadcast ping test: Sending out a broadcast ping request
Internet Types of Failover Links Primary Security Appliance 192.168.0.0 /24 10.0.0.0 /24 e1 .1 e0 .11 e3 e2 Cable-Based (PIX Security Appliance only) Stateful Link LAN-Based e2 e3 e0 e1 Secondary Security Appliance Cable-Based LAN-Based Stateful PIX Security Appliance
Internet Internet Serial Cable: Active/Standby Failover Primary: ActiveSecurity Appliance 192.168.1.2 10.0.1.1 Serial Cable 192.168.1.7 10.0.1.7 Secondary: StandbySecurity Appliance Primary: FailedSecurity Appliance Failover 10.0.1.7 192.168.1.7 Serial Cable 192.168.1.2 10.0.1.1 Secondary: ActiveSecurity Appliance
Overview of Configuring Failover with a Failover Serial Cable • Complete the following tasks to configure failover with a failover serial cable: • Attach the security appliance network interface cables. • Connect the failover cable between the primary and secondary firewalls. • Configure the primary firewall for failover and save the configuration to flash memory. • Power on the secondary firewall.
show failover Command: Secondary Security Appliance Not Connected fw1# show failover Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency500 milliseconds,holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.2(1), Mate Unknown Last Failover at: 13:21:38 UTC Dec 10 2006 This host: Primary - Active Active time: 200 (sec) Interface outside (192.168.1.2): Normal (Waiting) Interface inside (10.0.1.1): Normal (Waiting) Other host: Secondary – Not detected Active time: 0 (sec) Interface outside (192.168.1.7): Unknown (Waiting) Interface inside (10.0.1.7): Unknown (Waiting) Stateful Failover Logical Update Statistics Link : Unconfigured
Internet Configuration Replication PrimarySecurity Appliance • Configuration replication occurs: • When the standby firewall completes its initial bootup • As commands are entered on the active firewall • By entering the write standby command Replication SecondarySecurity Appliance
show failoverCommand Detected an active mate Beginning configuration replication to mate. End configuration replication to mate. fw1# show failover Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 13:21:38 UTC Dec 10 2006 This host: Primary - Active Active time: 320 (sec) Interface outside (192.168.1.2): Normal Interface inside (10.0.1.1): Normal Other host: Secondary – Standby Ready Active time: 0 (sec) Interface outside (192.168.1.7): Normal Interface inside (10.0.1.7): Normal Stateful Failover Logical Update Statistics Link : Unconfigured
Internet Force Control Back Primary: Standby Activefw1 192.168.1.0 10.0.1.0 Secondary: Active Standbyfw2 firewall(config)# failover active • Forces control of the connection back to the unit you are accessing fw2(config)# failover active
LAN-Based Failover Overview • LAN-based failover: • Provides long-distance failover functionality • Uses an Ethernet cable rather than the serial failover cable • Requires a dedicated LAN interface, but the same interface can be used for stateful failover • Enables you to use a dedicated switch, hub, or VLAN, or a crossover cable to connect the two security appliances • Uses message encryption and authentication to secure failover transmissions
LAN-Based Failover Configuration Overview • Complete the following tasks to configure LAN-based failover: • Install a LAN-based failover connection between primary and secondary security appliances. • Configure the primary security appliance. • Configure the primary security appliance for stateful failover. • Save the primary security appliance configuration to flash memory. • Power on the secondary security appliance. • Configure the secondary security appliance with the minimum failover LAN command set. • Save the secondary security appliance configuration to flash memory. • Connect the secondary unit LAN failover interface to the network. • Reboot the secondary security appliance.
Cabling LAN Failover PrimarySecurity Appliance g0/1 g0/0 g0/2 192.168.1.0 10.0.1.0 LAN Failover Internet g0/2 g0/1 g0/0 SecondarySecurity Appliance
asa1(config)# interface GigabitEthernet0/2 asa1(config-if)# no shut asa1(config)# failover lan interface LANFAIL GigabitEthernet0/2 asa1(config)# failover interface ip LANFAIL 172.17.1.1 255.255.255.0 standby 172.17.1.7 asa1(config)# failover lan unit primary asa1(config)# failover key 1234567 asa1(config)# failover Configuring LAN Failover: Primary Primary Security Applianceasa1 .2 .1 .1 10.0.1.0 192.168.1.0 Internet 172.17.1.0 .7 .7 .7 asa2 Secondary Security Appliance
Internet Stateful Failover Primary Security Applianceasa1 .1 .1 g0/2 10.0.1.0 192.168.1.0 Stateful failover g0/2 .2 .2 asa2 SecondarySecurity Appliance ciscoasa(config)# failover link if_name [phy_if] • Specifies the name of the dedicated interface used for stateful failover asa1(config)# failover link LANFAIL
asa2(config)# interface GigabitEthernet0/2 asa2(config-if)# no shut asa2(config)# failover lan interface LANFAIL GigabitEthernet0/2 asa2(config)# failover interface ip LANFAIL 172.17.1.1 255.255.255.0 standby 172.17.1.7 asa2(config)# failover lan unit secondary asa2(config)# failover key 1234567 asa2(config)# failover Internet Configuring LAN Failover: Secondary Primaryasa1 .1 .1 .1 10.0.1.0 192.168.1.0 172.17.1.0 .7 .2 .2 Secondaryasa2
Internet Replication to Secondary Beginning configuration replication sending to mate. End configuration replication to mate. Primary SecurityApplianceasa1 Secondary SecurityApplianceasa2
show failover Command with LAN-Based Failover asa2(config)# show failover Failover On Failover unit Secondary Failover LAN Interface: LANFAIL GigabitEthernet0/2 (up) Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 18:03:38 UTC Dec 12 2006 This host: Secondary – Standby Ready Active time:0 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside (192.168.1.7): Normal (Waiting) Interface inside (10.0.1.7): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)IPS, 5.0(2)S152.0 Up Other host: Primary – Active Active time: 3795 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside (192.168.1.2): Normal (Waiting) Interface inside (10.0.1.1): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)IPS, 5.0(2)S152.0 Up . . .
Internet failover mac address Command Primary Security Applianceasa1 Outside MAC address Act - 00a0.c989.e481 Stby - 00a0.c969.c7f1 Inside MAC address Act - 00a0.c976.cde5 Stby - 00a0.c922.9176 .1 .1 10.0.1.0 192.168.1.0 .2 .2 ciscoasa(config)# failover mac address mif_name act_mac stn_mac • Enables you to configure a virtual MAC address for a security appliance failover pair asa1(config)# failover mac address GigabitEthernet0/0 00a0.c989.e481 00a0.c969.c7f1 asa1(config)# failover mac address GigabitEthernet0/1 00a0.c976.cde5 00a0.c922.9176
1 1 2 2 Active/Active Failover Traffic Traffic m0/0 g0/1 m0/0 g0/1 CTX1- Active CTX2- Standby CTX1- Standby CTX2- Active g0/2 g0/2 g0/0 g0/3 g0/0 g0/3 Unit A Active/Standby Unit B Active/Standby • Active/active failover requires the use of contexts. For example, you could have two security appliances with two contexts each. • CTX1 • CTX2 • In normal conditions, each appliance has one active and one standby context. • The active context processes traffic. • The standby context is located in the peer security appliance. Internet
CTX1- Failed 1 1 2 2 Active/Active Failover (Cont.) Traffic Traffic Unit B: Active/Active m0/0 g0/1 m0/0 g0/1 CTX2- Standby CTX2- Active CTX1-Active g0/2 g0/2 g0/0 g0/3 g0/3 g0/0 Unit A Failed/Standby Unit B Active/Active • Under failed conditions, Unit A determines that the outside interface on CTX1 has failed. • CTX1 is placed in a failed state. • Unit A has one failed and one standby context. • CTX1 on Unit B becomes active. • Unit B has two active contexts. • Both active contexts pass traffic. • Failover can be context-based or unit-based. Internet
Summary • In order for failover to work, a pair of security appliances must be identical in several respects, including platform type and model, number and types of interfaces, amount of flash memory, and amount of RAM. • When failover occurs, the security appliance unit type(primary or secondary) does not change; however, the role(active or standby) of the unit does change. In multiple context mode, the role of the context changes. • With stateful failover, connection status is tracked and relayed between security appliances; therefore, connections remain active. • With active/standby failover, only one security appliance actively processes user traffic while the other unit acts as a hot standby and is prepared to take over if the active unit fails.
Summary (Cont.) • With active/active failover, both units can actively process firewall traffic while serving as a back up for their peer unit. • Active/active failover is only available to security appliances in multiple context mode. • The configuration of the primary security appliance is replicated to the secondary security appliance during configuration replication. • Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.