Failover Configuration | CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)

The failover configuration is actually quite simple. Only a handful of commands are necessary to fully configure failover, and cable-based failover takes even fewer commands than LAN-based. The following is an overview of some of the basic commands:

 pixfirewall(config)# failover [active] pixfirewall(config)# failover IP address <if_name> <IP_address> pixfirewall(config)# failover link [stateful_if_name] pixfirewall(config)# failover mac address <if_name> <active_mac> <standby_mac> pixfirewall(config)# failover replicate http

Table 11.5 displays several of the configuration failover commands used to set up failover.

Table 11.5. Failover Configuration Commands

Command	Description
failover [active]	This enables failover. The [active] option manually forces the standby to be active.
failover ip address	This specifies the IP address of the standby firewall. When failover occurs, this is the IP address the firewall will be changed to.
failover link	This defines which FastEthernet interface is used for stateful failover.
failover mac address	This specifies the MAC addresses for the primary and standby firewalls. This is available in case you want to override the burned-in address (BIA) of the firewall.
failover replicate http	By default, HTTP connections are not replicated in stateful replication. This enables HTTP replication.

The commands listed in Table 11.5 are the basic commands needed to perform cable-based stateful failover capability. To support LAN-based failover, the following additional commands are necessary:

 pixfirewall(config)# failover lan enable pixfirewall(config)# failover lan unit primarysecondary pixfirewall(config)# failover lan interface <if_name> pixfirewall(config)# failover lan key <secret_key>

Table 11.6 displays a list of LAN-based commands used to configure the PIX firewall for failover.

Table 11.6. LAN-based Failover Commands

Command	Description
failover lan enable	Enables LAN-based failover instead of cable-based.
failover lan unit	Unlike the serial cable that helps define which firewall is the primary or secondary, the lan unit command specifies the function of the firewall.
failover lan interface	Defines which interface is used for LAN-based connections.
failover lan key	This gives you the ability to specify an encryption key to use for protected failover messages.

Configuring for Cable-based Failover

The following example demonstrates how to configure two PIX firewalls for serial cable-based failover. The first step attaches the serial cable, which has primary and secondary labels on its ends and is provided by Cisco. Be sure you install them in the correct order. Next , you configure a stateful failover system based on Figure 11.4.

Figure 11.4. Cable-based stateful failover example.

graphics/11fig04.gif

Follow these steps, which are discussed in more detail in the following sections:

Configure the clock.
Configure the system addresses.
Enable failover.
Configure the failover addresses.
Enable stateful failover.
Finish the process.

Configuring the Clock

First, you must configure the clock on the primary firewall. The clock settings are replicated to the secondary firewall after the secondary firewall is enabled. The following is the command used to configure the clock's date and time values:

 primaryfirewall(config)# clock set 16:00 August 31, 2003

Configuring the System Addresses

Now, you need to set the system addresses on the firewall. Be sure you force flow control and do not use autosensing. Listing 11.1 shows the commands needed to configure the system settings on the primary firewall.

Listing 11.1 Primary Firewall Cable-based Commands

 primaryfirewall(config)# interface Ethernet0 100full primaryfirewall(config)# interface Ethernet1 100full primaryfirewall(config)# interface Ethernet2 100full primaryfirewall(config)# nameif ethernet0 outside sec0 primaryfirewall(config)# nameif ethernet1 inside sec100 primaryfirewall(config)# nameif ethernet2 st_ful sec50 primaryfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 primaryfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 primaryfirewall(config)# IP address st_ful 172.16.1.1 255.255.255.0 primaryfirewall(config)# clear xlate

Now, you use the show ip address command to display the system and current address information, like so:

 primaryfirewall(config)# show ip address System IP Addresses:      ip address outside 169.254.8.1 255.255.255.0      ip address inside 192.168.1.1 255.255.255.0      ip address st_ful 172.16.1.1 255.255.255.0 Current IP Addresses:      ip address outside 169.254.8.1 255.255.255.0      ip address inside 192.168.1.1 255.255.255.0      ip address st_ful 172.16.1.1 255.255.255.0

When the primary is in active mode, it uses the system IP addresses and media access control (MAC) addresses. On the other hand, when the primary is in standby mode, it uses the failover IP addresses and the MAC addresses.

Enabling Failover

After the system addresses are configured, failover can be enabled. The following command enables failover on the primary:

 primaryfirewall(config)# failover active

The command to enable failover can be used before you set the system addresses, but I like to do it just after to ensure that the addresses are configured prior to failover activation.

Make sure you remember that the failover active command is used to enable failover on the PIX firewall.

Configuring the Failover Addresses

Configuring the failover addresses enables you to define what the secondary address will be and what the primary will become in the event of a failover. Listing 11.2 displays the commands needed on the primary firewall to define which secondary IP address will be used and which interface is the stateful interface.

Listing 11.2 Configuring Primary Cable-based Failover IP Addresses

 primaryfirewall(config)# failover ip address outside 169.254.8.2 primaryfirewall(config)# failover ip address inside 192.168.1.2 primaryfirewall(config)# failover ip address st_ful 172.16.1.2

To verify the configuration, you can use the show failover command as shown here:

 primaryfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds      This host: primary - Active                  Active time: 240 (sec)                  Interface st_ful (172.16.1.1): Normal (Waiting)                  Interface outside (169.254.8.1): Normal (Waiting)                  Interface inside (192.168.1.1): Normal (Waiting)      Other host: secondary - Standby                  Active time: 0 (sec)                  Interface st_ful (172.16.1.2): Unknown (Waiting)                  Interface outside (168.254.8.2): Unknown (Waiting)                  Interface inside (192.168.1.2): Unknown (Waiting)

The Other host in the previous code is the secondary host. The status of Unknown is displayed if you have the secondary off, as I did in this case.

Enabling Stateful Failover

In this example, you are using stateful failover on the 172.16.1.1-to-172.16.1.2 link. The following command enables the stateful failover on the interface named st_ful . At this point, you must turn on the secondary firewall, using the following:

 primaryfirewall(config)# failover link st_ful primaryfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds      This host: primary - Active                  Active time: 251 (sec)                  Interface st_ful (172.16.1.1): Normal                  Interface outside (169.254.8.1): Normal                  Interface inside (192.168.1.1): Normal      Other host: secondary - Standby                  Active time: 11 (sec)                  Interface st_ful (172.16.1.2): Normal                  Interface outside (168.254.8.2): Normal                  Interface inside (192.168.1.2): Normal Stateful Failover Logical Update Statistics     Link : failover     Stateful Obj     xmit     xerr     rcv     rerr     General          1201     0        0       0     sys cmd          1130     0        0       0     up time          0        0        0       0     xlate            0        0        0       0     tcp conn         0        0        0       0     udp conn         0        0        0       0     ARP tbl          0        0        0       0     RIP Tbl          0        0        0       0     Logical Update Queue Information             Cur     Max     Total     Recv Q: 0       0       0     Xmit Q: 0       0       1201

Finishing Up

Now that the primary has been configured, the commands will be replicated to the secondary firewall when it is powered on or reloaded. The firewall will start with the Sync Started message; the Sync Completed message displays when the firewall replication has finished. After all the changes have been made on the primary and the secondary has been synchronized, use the write memory command on both firewalls to save the configuration to flash.

With cable-based topology, the primary firewall automatically replicates the configuration and setup information to the secondary unit.

Configuring for LAN-based Failover

In the previous example, you configured a cable-based firewall that required a special 6- foot serial cable from Cisco. For this example, you will use the new LAN-based configuration to set up a failover system. The LAN-based failover uses dedicated Ethernet interfaces that interconnect the two firewalls. This interconnect must go through a dedicated hub, a switch, or a VLAN on a switch. In this example, you will use a switch, as shown in Figure 11.5. You will also use a stateful link to interconnect the firewalls for session state information replication. This connection can be a crossover cable, which is shown with a straight line in Figure 11.5. Be sure you don't cable them together until the last step.

Figure 11.5. LAN-based stateful failover example.

graphics/11fig05.gif

The following steps, which are discussed in the following sections, are required to configure LAN-based failover:

Configure the clock.
Configure the primary system address.
Enable failover.
Configure the failover addresses.
Configure the primary LAN-based connections.
Enable stateful failover.
Configure the standby firewall.
Finish the process.

Configuring the Clock

You must first configure the clock on the primary firewall. The clock is replicated to the secondary firewall after it's enabled. Here's the code used to accomplish this:

 primaryfirewall(config)# clock set 16:00 August 31, 2003

Configuring the Primary System Addresses

Now you have to set the system addresses on the primary firewall. Listing 11.3 shows the commands needed to configure the system settings on the primary firewall.

Listing 11.3 Primary Firewall LAN-based Commands

 primaryfirewall(config)# interface Ethernet0 100full primaryfirewall(config)# interface Ethernet1 100full primaryfirewall(config)# interface Ethernet2 100full primaryfirewall(config)# interface Ethernet3 100full primaryfirewall(config)# nameif ethernet0 outside sec0 primaryfirewall(config)# nameif ethernet1 inside sec100 primaryfirewall(config)# nameif ethernet2 fl_ovr sec75 primaryfirewall(config)# nameif ethernet3 st_ful sec50 primaryfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 primaryfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 primaryfirewall(config)# IP address fl_ovr 172.16.1.1 255.255.255.0 primaryfirewall(config)# IP address st_ful 172.16.2.1 255.255.255.0 primaryfirewall(config)# clear xlate

Next, you use the show ip address command to display the system and current address information, like so:

 primaryfirewall(config)# show ip address System IP Addresses:      ip address outside 169.254.8.1 255.255.255.0      ip address inside 192.168.1.1 255.255.255.0      ip address fl_ovr 172.16.1.1 255.255.255.0      ip address st_ful 172.16.2.1 255.255.255.0 Current IP Addresses:      ip address outside 169.254.8.1 255.255.255.0      ip address inside 192.168.1.1 255.255.255.0      ip address fl_ovr 172.16.1.1 255.255.255.0      ip address st_ful 172.16.2.1 255.255.255.0

Enabling Failover

After the system addresses are configured, failover can be enabled using the following command:

 primaryfirewall(config)# failover active

Configuring the Failover Addresses

Configuring the failover addresses enables you to define what the secondary address will be and what the primary will become in the event of a failover. Listing 11.4 shows a configuration example.

Listing 11.4 Configuring Primary LAN-based Failover IP Addresses

 primaryfirewall(config)# failover ip address outside 169.254.8.2 primaryfirewall(config)# failover ip address inside 192.168.1.2 primaryfirewall(config)# failover ip address fl_ovr 172.16.1.2 primaryfirewall(config)# failover ip address st_ful 172.16.2.2

To verify the configuration, you can use the show failover command, as shown here:

 primaryfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 15 seconds      This host: primary - Active                  Active time: 250 (sec)                  Interface outside (169.254.8.1): Normal (Waiting)                  Interface inside (192.168.1.1): Normal (Waiting)                  Interface fl_ovr (172.16.1.1): Normal (Waiting)                  Interface st_ful (172.16.2.1): Normal (Waiting)      Other host: secondary - Standby                  Active time: 0 (sec)                  Interface outside (168.254.8.2): Unknown (Waiting)                  Interface inside (192.168.1.2): Unknown (Waiting)                  Interface fl_ovr (172.16.1.2): Unknown (Waiting)                  Interface st_ful (172.16.2.2): Unknown (Waiting)

Configuring LAN-based Connections

Because you are using a LAN-based configuration, the serial cable will not be used and you will have to tell the firewall that it is the primary unit. Listing 11.5 configures the primary firewall for LAN-based configuration.

Listing 11.5 Setting LAN-based Primary Firewall Commands

 primaryfirewall(config)# no failover primaryfirewall(config)# failover lan unit primary primaryfirewall(config)# failover lan interface fl_ovr primaryfirewall(config)# failover lan key dog primaryfirewall(config)# failover lan enable primaryfirewall(config)# failover active

Listing 11.5 configures the firewall unit as the primary firewall, disables the failover, defines the failover link to fl_ovr , and uses the secret key (password) of dog when sending data. In a later step, you will configure the secondary with the same key (password).

Enabling Stateful Failover

In this example, you are using stateful failover on the st_ful interface (172.16.2.0/24). The command shown here enables the stateful failover on this link:

 primaryfirewall(config)# failover link st_ful

Configuring the Standby Firewall

Now that you've configured the primary, the secondary needs to have basic LAN-based configuration set on it. Be sure the secondary has no configuration before you start the next three steps.

The first thing you must do is set the interface IP address so it can receive information from the primary. Listing 11.6 configures basic settings on the Ethernet interface on the firewall.

Listing 11.6 Secondary LAN-based Basic Configuration

 secondaryfirewall(config)# interface Ethernet2 100full secondaryfirewall(config)# nameif ethernet2 fl_ovr sec75 secondaryfirewall(config)# IP address fl_ovr 172.16.1.2 255.255.255.0

The second step is to configure the LAN-based settings. Listing 11.7 enables the firewall as a secondary unit. The last two code lines save the configuration to flash and reload the PIX.

Listing 11.7 Secondary LAN-based Configuration

 secondaryfirewall(config)# failover IP address fl_ovr 172.16.1.2 secondaryfirewall(config)# failover lan unit secondary secondaryfirewall(config)# failover lan interface fl_ovr secondaryfirewall(config)# failover lan key dog secondaryfirewall(config)# failover lan enable secondaryfirewall(config)# failoversecondaryfirewall(config)# write memory secondaryfirewall(config)# reload

Finishing Up

Now that the primary and secondary have been configured, make sure you have saved both configurations before cabling them together. Then use the show failover command to monitor their statuses.