The failover configuration is actually quite simple. Only a handful of commands are necessary to fully configure failover, and cable-based failover takes even fewer commands than LAN-based. The following is an overview of some of the basic commands: pixfirewall(config)# failover [active] pixfirewall(config)# failover IP address <if_name> <IP_address> pixfirewall(config)# failover link [stateful_if_name] pixfirewall(config)# failover mac address <if_name> <active_mac> <standby_mac> pixfirewall(config)# failover replicate http Table 11.5 displays several of the configuration failover commands used to set up failover. Table 11.5. Failover Configuration Commands
The commands listed in Table 11.5 are the basic commands needed to perform cable-based stateful failover capability. To support LAN-based failover, the following additional commands are necessary: pixfirewall(config)# failover lan enable pixfirewall(config)# failover lan unit primarysecondary pixfirewall(config)# failover lan interface <if_name> pixfirewall(config)# failover lan key <secret_key> Table 11.6 displays a list of LAN-based commands used to configure the PIX firewall for failover. Table 11.6. LAN-based Failover Commands
Configuring for Cable-based FailoverThe following example demonstrates how to configure two PIX firewalls for serial cable-based failover. The first step attaches the serial cable, which has primary and secondary labels on its ends and is provided by Cisco. Be sure you install them in the correct order. Next , you configure a stateful failover system based on Figure 11.4. Figure 11.4. Cable-based stateful failover example.
Follow these steps, which are discussed in more detail in the following sections:
Configuring the ClockFirst, you must configure the clock on the primary firewall. The clock settings are replicated to the secondary firewall after the secondary firewall is enabled. The following is the command used to configure the clock's date and time values: primaryfirewall(config)# clock set 16:00 August 31, 2003 Configuring the System AddressesNow, you need to set the system addresses on the firewall. Be sure you force flow control and do not use autosensing. Listing 11.1 shows the commands needed to configure the system settings on the primary firewall. Listing 11.1 Primary Firewall Cable-based Commandsprimaryfirewall(config)# interface Ethernet0 100full primaryfirewall(config)# interface Ethernet1 100full primaryfirewall(config)# interface Ethernet2 100full primaryfirewall(config)# nameif ethernet0 outside sec0 primaryfirewall(config)# nameif ethernet1 inside sec100 primaryfirewall(config)# nameif ethernet2 st_ful sec50 primaryfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 primaryfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 primaryfirewall(config)# IP address st_ful 172.16.1.1 255.255.255.0 primaryfirewall(config)# clear xlate Now, you use the show ip address command to display the system and current address information, like so: primaryfirewall(config)# show ip address System IP Addresses: ip address outside 169.254.8.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address st_ful 172.16.1.1 255.255.255.0 Current IP Addresses: ip address outside 169.254.8.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address st_ful 172.16.1.1 255.255.255.0
Enabling FailoverAfter the system addresses are configured, failover can be enabled. The following command enables failover on the primary: primaryfirewall(config)# failover active The command to enable failover can be used before you set the system addresses, but I like to do it just after to ensure that the addresses are configured prior to failover activation.
Configuring the Failover AddressesConfiguring the failover addresses enables you to define what the secondary address will be and what the primary will become in the event of a failover. Listing 11.2 displays the commands needed on the primary firewall to define which secondary IP address will be used and which interface is the stateful interface. Listing 11.2 Configuring Primary Cable-based Failover IP Addressesprimaryfirewall(config)# failover ip address outside 169.254.8.2 primaryfirewall(config)# failover ip address inside 192.168.1.2 primaryfirewall(config)# failover ip address st_ful 172.16.1.2 To verify the configuration, you can use the show failover command as shown here: primaryfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: primary - Active Active time: 240 (sec) Interface st_ful (172.16.1.1): Normal (Waiting) Interface outside (169.254.8.1): Normal (Waiting) Interface inside (192.168.1.1): Normal (Waiting) Other host: secondary - Standby Active time: 0 (sec) Interface st_ful (172.16.1.2): Unknown (Waiting) Interface outside (168.254.8.2): Unknown (Waiting) Interface inside (192.168.1.2): Unknown (Waiting) The Other host in the previous code is the secondary host. The status of Unknown is displayed if you have the secondary off, as I did in this case. Enabling Stateful FailoverIn this example, you are using stateful failover on the 172.16.1.1-to-172.16.1.2 link. The following command enables the stateful failover on the interface named st_ful . At this point, you must turn on the secondary firewall, using the following: primaryfirewall(config)# failover link st_ful primaryfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: primary - Active Active time: 251 (sec) Interface st_ful (172.16.1.1): Normal Interface outside (169.254.8.1): Normal Interface inside (192.168.1.1): Normal Other host: secondary - Standby Active time: 11 (sec) Interface st_ful (172.16.1.2): Normal Interface outside (168.254.8.2): Normal Interface inside (192.168.1.2): Normal Stateful Failover Logical Update Statistics Link : failover Stateful Obj xmit xerr rcv rerr General 1201 0 0 0 sys cmd 1130 0 0 0 up time 0 0 0 0 xlate 0 0 0 0 tcp conn 0 0 0 0 udp conn 0 0 0 0 ARP tbl 0 0 0 0 RIP Tbl 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 1201 Finishing UpNow that the primary has been configured, the commands will be replicated to the secondary firewall when it is powered on or reloaded. The firewall will start with the Sync Started message; the Sync Completed message displays when the firewall replication has finished. After all the changes have been made on the primary and the secondary has been synchronized, use the write memory command on both firewalls to save the configuration to flash.
Configuring for LAN-based FailoverIn the previous example, you configured a cable-based firewall that required a special 6- foot serial cable from Cisco. For this example, you will use the new LAN-based configuration to set up a failover system. The LAN-based failover uses dedicated Ethernet interfaces that interconnect the two firewalls. This interconnect must go through a dedicated hub, a switch, or a VLAN on a switch. In this example, you will use a switch, as shown in Figure 11.5. You will also use a stateful link to interconnect the firewalls for session state information replication. This connection can be a crossover cable, which is shown with a straight line in Figure 11.5. Be sure you don't cable them together until the last step. Figure 11.5. LAN-based stateful failover example.
The following steps, which are discussed in the following sections, are required to configure LAN-based failover:
Configuring the ClockYou must first configure the clock on the primary firewall. The clock is replicated to the secondary firewall after it's enabled. Here's the code used to accomplish this: primaryfirewall(config)# clock set 16:00 August 31, 2003 Configuring the Primary System AddressesNow you have to set the system addresses on the primary firewall. Listing 11.3 shows the commands needed to configure the system settings on the primary firewall. Listing 11.3 Primary Firewall LAN-based Commandsprimaryfirewall(config)# interface Ethernet0 100full primaryfirewall(config)# interface Ethernet1 100full primaryfirewall(config)# interface Ethernet2 100full primaryfirewall(config)# interface Ethernet3 100full primaryfirewall(config)# nameif ethernet0 outside sec0 primaryfirewall(config)# nameif ethernet1 inside sec100 primaryfirewall(config)# nameif ethernet2 fl_ovr sec75 primaryfirewall(config)# nameif ethernet3 st_ful sec50 primaryfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 primaryfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 primaryfirewall(config)# IP address fl_ovr 172.16.1.1 255.255.255.0 primaryfirewall(config)# IP address st_ful 172.16.2.1 255.255.255.0 primaryfirewall(config)# clear xlate Next, you use the show ip address command to display the system and current address information, like so: primaryfirewall(config)# show ip address System IP Addresses: ip address outside 169.254.8.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address fl_ovr 172.16.1.1 255.255.255.0 ip address st_ful 172.16.2.1 255.255.255.0 Current IP Addresses: ip address outside 169.254.8.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip address fl_ovr 172.16.1.1 255.255.255.0 ip address st_ful 172.16.2.1 255.255.255.0 Enabling FailoverAfter the system addresses are configured, failover can be enabled using the following command: primaryfirewall(config)# failover active Configuring the Failover AddressesConfiguring the failover addresses enables you to define what the secondary address will be and what the primary will become in the event of a failover. Listing 11.4 shows a configuration example. Listing 11.4 Configuring Primary LAN-based Failover IP Addressesprimaryfirewall(config)# failover ip address outside 169.254.8.2 primaryfirewall(config)# failover ip address inside 192.168.1.2 primaryfirewall(config)# failover ip address fl_ovr 172.16.1.2 primaryfirewall(config)# failover ip address st_ful 172.16.2.2 To verify the configuration, you can use the show failover command, as shown here: primaryfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: primary - Active Active time: 250 (sec) Interface outside (169.254.8.1): Normal (Waiting) Interface inside (192.168.1.1): Normal (Waiting) Interface fl_ovr (172.16.1.1): Normal (Waiting) Interface st_ful (172.16.2.1): Normal (Waiting) Other host: secondary - Standby Active time: 0 (sec) Interface outside (168.254.8.2): Unknown (Waiting) Interface inside (192.168.1.2): Unknown (Waiting) Interface fl_ovr (172.16.1.2): Unknown (Waiting) Interface st_ful (172.16.2.2): Unknown (Waiting) Configuring LAN-based ConnectionsBecause you are using a LAN-based configuration, the serial cable will not be used and you will have to tell the firewall that it is the primary unit. Listing 11.5 configures the primary firewall for LAN-based configuration. Listing 11.5 Setting LAN-based Primary Firewall Commandsprimaryfirewall(config)# no failover primaryfirewall(config)# failover lan unit primary primaryfirewall(config)# failover lan interface fl_ovr primaryfirewall(config)# failover lan key dog primaryfirewall(config)# failover lan enable primaryfirewall(config)# failover active Listing 11.5 configures the firewall unit as the primary firewall, disables the failover, defines the failover link to fl_ovr , and uses the secret key (password) of dog when sending data. In a later step, you will configure the secondary with the same key (password). Enabling Stateful FailoverIn this example, you are using stateful failover on the st_ful interface (172.16.2.0/24). The command shown here enables the stateful failover on this link: primaryfirewall(config)# failover link st_ful Configuring the Standby FirewallNow that you've configured the primary, the secondary needs to have basic LAN-based configuration set on it. Be sure the secondary has no configuration before you start the next three steps. The first thing you must do is set the interface IP address so it can receive information from the primary. Listing 11.6 configures basic settings on the Ethernet interface on the firewall. Listing 11.6 Secondary LAN-based Basic Configurationsecondaryfirewall(config)# interface Ethernet2 100full secondaryfirewall(config)# nameif ethernet2 fl_ovr sec75 secondaryfirewall(config)# IP address fl_ovr 172.16.1.2 255.255.255.0 The second step is to configure the LAN-based settings. Listing 11.7 enables the firewall as a secondary unit. The last two code lines save the configuration to flash and reload the PIX. Listing 11.7 Secondary LAN-based Configurationsecondaryfirewall(config)# failover IP address fl_ovr 172.16.1.2 secondaryfirewall(config)# failover lan unit secondary secondaryfirewall(config)# failover lan interface fl_ovr secondaryfirewall(config)# failover lan key dog secondaryfirewall(config)# failover lan enable secondaryfirewall(config)# failoversecondaryfirewall(config)# write memory secondaryfirewall(config)# reload Finishing UpNow that the primary and secondary have been configured, make sure you have saved both configurations before cabling them together. Then use the show failover command to monitor their statuses. |