Shulou(Shulou.com)06/01 Report--

Failover

Overview

Failover is very similar to the HSRP we learned earlier in that it can be said to provide fault recovery.

1.Active and Standby

The health status of the device is monitored through the LAN-FO interface (similar to the heartbeat line, but also through a single line to connect two PIX to achieve status monitoring, replication configuration, state transfer)

Two devices, one configured as a Primary device and the other as a Secondary device (Primary and Secondary are a physical concept)

One device is selected as Active (forward traffic) and the other is selected as Standby (wait, backup). The two states are logical concepts.

How to be an Active?

When a firewall is activated, an election process begins (based on the health status of the two devices below)

If one more device being negotiated is detected at the other end of the FO, and the Primary device becomes Active and forwards the data, the Secondary device becomes Standby and becomes a backup device.

If an Active device is detected, switch to Standby state by yourself

If no device is detected at the other end of the FO, you become Active.

If an Active device is detected at the other end of the FO after becoming an Active, the two devices renegotiate.

Note: what is the difference between Primary, Secondary, Active and Standby?

Primary and Secondary are physical concepts, which refer to the role of the physical device itself in Failover.

Active and Standby are logical concepts, which refer to the state of the device and whether it is in the state of forwarding data.

Active status does not necessarily refer to Primary devices, it can also be Secondary devices, Standby status is the same.

two。 How to switch

Normal handover

When the Active device fails, the device in the Standby (if it is healthy) becomes Active to forward the data.

When the handover occurs

The Standby device inherits the properties of the original Active device (IP and MAC) on all interfaces

However, the address on the FO port remains the same.

3. Administration and Management

Just configure it on the Active device; the configuration on the active device is automatically copied to the Standby device

Through the standby IP of the Standby device, the device can be basically monitored and managed.

4. Requirements for deploying Failover Applianc

Hardware requirement

Same hardware model

The same number and type of interfaces

The same type of SSM module

Same memory.

Software requirements

Same mode of operation

Same motherboard and subversion.

Authorization requirement

You don't have to have the same authorization, just FO authorization.

5. Deployment mode

Note: it is for FO interface.

Stateless FO

It's just ordinary hardware redundancy.

When a failover occurs, all established connections are interrupted and must be reconnected.

Stateful FO

Provide more powerful redundancy-redundancy of stateful session table items

On failover, the connection is maintained; the user does not have to reconnect

A stateful switching link (other than LAN-FO) needs to be provided between the two devices

6. Interface Typ

LAN-FO interface: determine the operational status of each device and copy and synchronize the configuration

LAN-FO interface (stateful interface): transfers status information to Standby devices. It can be a stand-alone interface or shared with other interfaces, including the FO interface, but it is not recommended. It is generally an independent interface.

7. Health monitoring

Unit (i.e. equipment) health monitoring

Confirm the health of other units by monitoring the FO link

Devices exchange Hello messages through the FO interface

Switching occurs when no response is received from the Active device.

Interface health monitoring

Every network interface can be monitored.

The device connects to the Hello message through control.

Handover occurs when an interface designated for monitoring on the Active device fails.

8. Deployment policy

When deploying the FO interface, consider the following deployment guidelines

Keys can be used to protect FO communications

If the stateful link and the FO link share the interface, you need to use an available high-speed interface, and it is best not to let the stateful link and the normal data interface share a physical interface.

Adjust the parameters of FO to achieve fast switching

Manually top MAC addresses on Active and standby devices to prevent accidental events that may block network traffic

On all switch interfaces that connect to firewall devices, consider configuring fast ports (PortFast).

Note: if the FO interface is broken, then Failover will not be able to achieve the function of fault recovery. FO is equivalent to the heart of the whole Failover and plays an irreplaceable role.

Configure an instance

one。 Experimental purpose

Understand the principle, function and use of Failover

Master the difference between stateless and stateless Failover

Understand and master the types (two states) and importance of Failover's LAN-FO interface

Master the configuration of Faiover.

two。 Experimental topology

As above: through planning and configuration, use two PIX to achieve fault recovery function. Make sure that one device continues to work after something goes wrong with the other. Where R1 is an Inside device and R2 is an Outside device

three。 Experimental procedure

Stateless

1. Basic configuration of regional equipment

-R1 configuration--

R1 (config) # inter fa0/0

R1 (config-if) # ip add 192.168.1.1 255.255.255.0

R1 (config-if) # no shut

R1 (config-if) # full-duplex

R1 (config-if) # exit

R1 (config) # ip route 0.0.0.0 0.0.0.0 192.168.1.253

-R2 configuration--

R2 (config) # inter fa0/0

R2 (config-if) # ip add 202.100.1.1 255.255.255.0

R2 (config-if) # no shut

R2 (config-if) # fu

R2 (config-if) # full-duplex

R2 (config-if) # exit

2.Primary device configuration

-Interface initialization configuration-

PIX1 (config) # inter e0

PIX1 (config-if) # nameif inside

PIX1 (config-if) # ip add 192.168.1.253 255.255.255.0 standby 192.168.1.254

PIX1 (config-if) # no shut

PIX1 (config-if) # exit

PIX1 (config) # inter E1

PIX1 (config-if) # nameif outside

PIX1 (config-if) # ip add 202.100.1.253 255.255.255.0 standby 202.100.1.254

PIX1 (config-if) # no shut

PIX1 (config-if) # exit

-configure FO-

PIX1 (config) # inter e2

PIX1 (config-if) # no shut

PIX1 (config-if) # exit

PIX1 (config) # failover lan unit primary

PIX1 (config) # failover lan interface FO e2

INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfaces

PIX1 (config) # failover lan interface FO e2

PIX1 (config) # failover key cisco

PIX1 (config) # failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.1.2

PIX1 (config) # failover

Secondary configuration

PIX2 (config) # inter e2

PIX2 (config-if) # no shut

PIX2 (config-if) # exit

PIX2 (config) # failover lan unit secondary

PIX2 (config) # failover lan interface FO e2

INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfaces

PIX2 (config) # failover lan interface FO e2

PIX2 (config) # failover key cisco

PIX2 (config) # failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.2

PIX2 (config) # failover

After the configuration is completed, the two devices begin to negotiate the selection of Active and synchronize the configuration

State check detected an Active mate

Beginning configuration replication from mate.

End configuration replication from mate.

At this point, the stateless failover is complete. After PIX2 synchronizes the configuration of PIX1, its hostname becomes PIX1, and copies all the configurations of PIX1 to itself.

View PIX status

-- View PIX1 status-

PIX1 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: FO Ethernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 7.2 (2), Mate 7.2 (2)

Last Failover at: 06:42:20 UTC Apr 8 2015

This host: Primary-Active

Active time: 405 (sec)

Interface inside (192.168.1.253): Normal

Interface outside (202.100.1.253): Unknown (Waiting)

Other host: Secondary-Standby Ready

Active time: 120 (sec)

Interface inside (192.168.1.254): Normal

Interface outside (202.100.1.254): Unknown (Waiting)

Stateful Failover Logical Update Statistics

Link: Unconfigured.

-View PIX2 status--

PIX1 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Secondary

Failover LAN Interface: FO Ethernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 7.2 (2), Mate 7.2 (2)

Last Failover at: 06:44:35 UTC Apr 8 2015

This host: Secondary-Standby Ready

Active time: 120 (sec)

Interface inside (192.168.1.254): Normal

Interface outside (202.100.1.254): Unknown (Waiting)

Other host: Primary-Active

Active time: 480 (sec)

Interface inside (192.168.1.253): Normal

Interface outside (202.100.1.253): Unknown (Waiting)

Stateful Failover Logical Update Statistics

Link: Unconfigured.

Verify stateless connection

Connect to R2 with R1telnet

R2 (config) # lin vty 0 4

R2 (config-line) # password gyh

R2 (config-line) # login

R2 (config-line) # exit

R1#telnet 202.100.1.1

Trying 202.100.1.1... Open

User Access Verification

Password:

R2 >

-down-- the fa1/1 interface of R3-SW

R3-SW (config) # inter fa1/1

R3-SW (config-if) # shut

R3-SW (config-if) #

* Mar 1 01VOL20 Interface FastEthernet1/1 49.651:% LINK-5-CHANGED: changed state to administratively down

* Mar 1 01Line protocol on Interface FastEthernet1/1 20 changed state to down 50.651:% LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1

-View the telnet connection status of R1

R2 >

[Connection to 202.100.1.1 closed by foreign host]

-View PIX status

PIX1 (config) #

Switching to Standby

PIX1 (config) #

Switching to Active

PIX1 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: FO Ethernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 7.2 (2), Mate 7.2 (2)

Last Failover at: 08:05:36 UTC Apr 8 2015

This host: Primary-Failed

Active time: 2595 (sec)

Interface inside (192.168.1.254): Failed (Waiting)

Interface outside (202.100.1.254): Normal

Other host: Secondary-Active

Active time: 2340 (sec)

Interface inside (192.168.1.253): Normal (Waiting)

Interface outside (202.100.1.253): Normal

Stateful Failover Logical Update Statistics

Link: Unconfigured.

PIX1 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Secondary

Failover LAN Interface: FO Ethernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 7.2 (2), Mate 7.2 (2)

Last Failover at: 08:07:57 UTC Apr 8 2015

This host: Secondary-Active

Active time: 2355 (sec)

Interface inside (192.168.1.253): Normal (Waiting)

Interface outside (202.100.1.253): Normal

Other host: Primary-Failed

Active time: 2595 (sec)

Interface inside (192.168.1.254): Failed (Waiting)

Interface outside (202.100.1.254): Normal

Stateful Failover Logical Update Statistics

Link: Unconfigured.

State

This experiment is carried out on the basis of stateless experiment.

Restore the normal network and turn on the fa1/1 interface of R3-SW

R3-SW (config-if) # inter fa1/1

R3-SW (config-if) # no shut

* Mar 1 01VOL25 Mar 17.023:% LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up

Manually restore PIX1 to active state

PIX1 (config) # failover active

Switching to Active

PIX1 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: FO Ethernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 7.2 (2), Mate 7.2 (2)

Last Failover at: 08:09:10 UTC Apr 8 2015

This host: Primary-Active

Active time: 2595 (sec)

Interface inside (192.168.1.253): Normal (Waiting)

Interface outside (202.100.1.253): Normal (Waiting)

Other host: Secondary-Standby Ready

Active time: 2475 (sec)

Interface inside (192.168.1.254): Normal (Waiting)

Interface outside (202.100.1.254): Normal (Waiting)

Stateful Failover Logical Update Statistics

Link: Unconfigured.

Set up the LAN-FO (stateful) interface

The first situation:

Set the LAN-FO interface to the stateful interface

PIX1 (config) # failover link FO e2

R2 on R1 telnet

R1#telnet 202.100.1.1

Trying 202.100.1.1... Open

User Access Verification

Password:

R2 >

Shut down the fa1/1 interface of R3-SW

R3-SW (config-if) # inter fa1/1

R3-SW (config-if) # shut

* Mar 1 01Interface FastEthernet1/1 3316.495:% LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down

* Mar 1 01 Line protocol on Interface FastEthernet1/1 33 17. 495:% LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down

View the Failover status of the device

PIX1 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: FO Ethernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 7.2 (2), Mate 7.2 (2)

Last Failover at: 08:46:42 UTC Apr 8 2015

This host: Primary-Failed

Active time: 75 (sec)

Interface inside (192.168.1.254): Failed (Waiting)

Interface outside (202.100.1.254): Normal

Other host: Secondary-Active

Active time: 180 (sec)

Interface inside (192.168.1.253): Normal (Waiting)

Interface outside (202.100.1.253): Normal

Stateful Failover Logical Update Statistics

Link: FO Ethernet2 (up)

Stateful Obj xmit xerr rcv rerr

General 37 0 36 0

Sys cmd 33 0 33 0

Up time 0 0 0

RPC services 0 0 0

TCP conn 2 0 3 0

UDP conn 0 0 0

ARP tbl 2 0 0 0

Xlate_Timeout 0 0 0

* × × IKE upd 0 000 0

* × × IPSEC upd 0 000 0

* × × CTCP upd 0 000 0

* × × SDI upd 0 000 0

* × × DHCP upd 0 000 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 229

Xmit Q: 0 2 94

Enter on R1 to see if the connection to R2 is interrupted.

R2 >

R2 >

R2 >

R2 >

R2 >

Note: setting the interface between stateful and FO as a link is not recommended, so although this method is feasible, it is generally not used.

The second situation:

Connect another line and set it to stateful interface (FO link is separate from stateful link)

PIX1 (config) # inter E3

PIX1 (config-if) # no shut

PIX1 (config) # failover link stateful E3

PIX1 (config) # failover interface ip stateful 172.16.10.10 255.255.255.0 standby 172.16.10.11

Verification

R2 on R1 telnet

R1#telnet 202.100.1.1

Trying 202.100.1.1... Open

User Access Verification

Password:

R2 >

Shut down the fa1/1 interface of R3-SW

R3-SW (config-if) # inter fa1/1

R3-SW (config-if) # shut

* Mar 1 01Interface FastEthernet1/1 3316.495:% LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down

* Mar 1 01 Line protocol on Interface FastEthernet1/1 33 17. 495:% LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down

View the Failover status of the device

PIX1 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: FO Ethernet2 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 7.2 (2), Mate 7.2 (2)

Last Failover at: 08:46:42 UTC Apr 8 2015

This host: Primary-Failed

Active time: 75 (sec)

Interface inside (192.168.1.254): Failed (Waiting)

Interface outside (202.100.1.254): Normal

Other host: Secondary-Active

Active time: 180 (sec)

Interface inside (192.168.1.253): Normal (Waiting)

Interface outside (202.100.1.253): Normal

Stateful Failover Logical Update Statistics

Link: FO Ethernet2 (up)

Stateful Obj xmit xerr rcv rerr

General 37 0 36 0

Sys cmd 33 0 33 0

Up time 0 0 0

RPC services 0 0 0

TCP conn 2 0 3 0

UDP conn 0 0 0

ARP tbl 2 0 0 0

Xlate_Timeout 0 0 0

* × × IKE upd 0 000 0

* × × IPSEC upd 0 000 0

* × × CTCP upd 0 000 0

* × × SDI upd 0 000 0

* × × DHCP upd 0 000 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 229

Xmit Q: 0 2 94

Enter on R1 to see if the connection to R2 is interrupted.

R2 >

R2 >

R2 >

R2 >

R2 >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.