Cisco Security Appliance Failover

Step 1 Enable LAN-based failover:
Primary-pix (config)# failover lan enable
Step 2 Enable the Security Appliance as the designated primary unit:
Primary-pix (config)# failvoer lan unit primary
Step 3 Define the failover interface:
Primary-pix (config)# failover lan interface failover ethernet3
Step 4 Assign an IP address and standby IP address to the failover interface:
Primary-pix (config)# failover interface ip failover 172.16.10.1
255.255.255.240 standby 172.16.10.2
Step 5 Verify your failover configuration:
Primary-pix (config)# show failover
Step 6 Configure the secondary unit IP address from the primary unit by using
the ip address command. Add the ip address command for all
interfaces, including the one for the dedicated failover interface and any
unused interfaces:
Primary-pix (config)# interface ethernet0
Primary-pix (config-if)# ip address 192.168.1.1 255.255.255.0 standby
192.168.1.2
Primary-pix (config)# interface etherenet1
Primary-pix (config-if)# ip address 10.10.10.1 255.255.255.0 standby
10.10.10.2
Step 7 Enable the failover interface:
Primary-pix (config)# interface ethernet3
Primary-pix (config)# no shutdown
Step 8 Save your configuration:
Primary-pix (config)# write memory
Step 9 Use the show ip address command to view the addresses you specified:
Primary-pix (config)# show ip address
System IP Addresses:
ip address outside 192.168.1.1 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip address failover 172.16.10.1 255.255.255.240
NOTE Before you begin the failover configuration, be sure that you connect the failover
cable to the units correctly. Also be sure that the standby unit is not powered on.
320 Chapter 12: Cisco Security Appliance Failover
Current IP Addresses:
ip address outside 192.168.1.1 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip address failover 172.16.10.1 255.255.255.244
The current IP addresses are the same as the system IP addresses on the
failover active unit. When the primary unit fails, the current IP
addresses become those of the standby unit.
Step 10 Enable stateful failover:
Primary-pix (config)# failover link failover
Step 11 Power up the secondary unit. At this point, the primary unit starts
replicating the configuration to the secondary.
Step 12 Verify your failover configuration:
Primary-pix (config)# show failover
Failover On
Cable status: N/A – LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover Ethernet3 (up)
Unit Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaced 3 of 250 maximium
Last Failover at: 22:19:11 UTC Mon Jan 19 2005
This host: Primary - Active
Active time: 345 (sec)
Interface outside (192.168.1.1): Normal
Interface inside (10.10.10.1): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface outside (192.168.1.1): Normal
Interface inside (10.10.10.1): Normal
Stateful Failover Logical Update Statistics
Link : fover Ethernet3 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 6 0 0 0
UDP conn 0 0 0 0
ARP tbl 106 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Configuring Failover 321
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
The show failover command displays the last occurrence of a failover.
The first part of the show failover command output describes the cable
status. Each interface on the PIX Firewall unit has one of the following
values:
• Normal—The active unit is working, and the standby unit is ready.
• Waiting—Monitoring of the other unit’s network interfaces has not
yet started.
• Failed—The PIX Firewall has failed.
• Shutdown—The interface is turned off.
The second part of the show failover command describes the status of
the stateful failover configuration. Each row is for a particular static
object count:
• General—The sum of all stateful objects.
• Sys cmd—Refers to logical update system commands, such as login
and stay alive.
• Up time—The value for PIX up time that the active PIX Firewall unit
passes on to the standby unit.
• Xlate—The PIX Firewall translation information.
• Tcp conn—The PIX Firewall dynamic TCP connection information.
• Udp conn—The PIX Firewall dynamic UDP connection information.
• ARP tbl—The PIX Firewall dynamic ARP table information.
• RIF tbl—The dynamic router table information. The Stateful Obj has
these values:
— Xmit—Indicates the number of packets transmitted.
— Xerr—Indicates the number of transmit errors.
— Rcv—Indicates the number of packets received.
— rerr—Indicates the number of receive errors.
Step 13 Enter the write memory command from the active unit to synchronize
the current configuration to the Flash memory on the standby unit.

Sample Configuration for primary-PIX

Network Diagram of Failover Configuration
Configuring failover involves defining your configuration on the primary Security Appliance
or virtual context. This configuration is then replicated to the standby Security Appliance or
Example 12-3 Sample Configuration for primary-PIX
hostname primary-PIX
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 2
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
interface Ethernet2
description LAN/STATE failover
shutdown
failover lan unit primary
failover lan interface failover Ethernet4
failover lan enable
failover link failover Ethernet4
failover interface ip failover 172.16.10.1 255.255.255.0 standby 172.16.10.2
global (outside) 1 192.168.1.15-192.168.1.40 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Security Appliance Failover Commands (Continued)

* The system address is the same address as the active unit IP address. When the active unit fails, the standby assumes
the system address so that there is no need for the network devices to be reconfigured for a different firewall address.
Figure 12-3 shows two PIX Firewall units in a failover configuration. Example 12-3 shows
a sample configuration for a PIX Firewall failover configuration.
failover active Makes the Security Appliance unit it is issued on the active
unit. This command is usually used to make the primary unit
active again after repairs have been made to it.
ip address ip-address
[mask][standby ip_address]
Issued on the primary unit to configure the standby unit’s IP
address. This is the IP address that the standby interface uses
to communicate with the active unit. Therefore, it has the
same subnet as the system address.*
The first ip-address is the interface name’s IP address. The
second ip-address parameter is the standby unit’s IP address.
failover link stateful-if-name Enables stateful failover on the specified.
show failover This popular command displays the status of the failover
configuration.
failover poll seconds Specifies how long failover waits before sending special hello
packets between the primary and secondary units. The
default is 15 seconds. The minimum is 3 seconds, and the
maximum is 15 seconds.
failover reset Can be entered from either unit (active or standby),
preferably the active unit. This forces the units back to an
unfailed state and is used after repairs have been made.
write standby Enter the write standby command from the active unit to
synchronize the current configuration from RAM-to-RAM
memory to the standby unit.
failover lan interface interfacename
Configures LAN-based failover.
failover lan unit primary |
secondary
Specifies the primary or secondary Security Appliance to use
for LAN-based failover.
failover replicate http Allows the stateful replication of HTTP sessions in a stateful
failover environment.
Table 12-4

Security Appliance Failover Commands

Security Appliance Failover Commands
failover lan enable Enables LAN-based failover.
failover Enables the failover function on the PIX Firewall. Use this
command after you connect the failover cable between the
primary and secondary unit. Use the no failover command
to disable the failover feature.
failover lan keykey-secret Specifies the shared secret key.

Configuring Failover

Configuring Failover
To configure failover, you need to become familiar with a few key commands. Table 12-4
shows the commands used to configure and verify failover.

Failover Sub-Command Mode Commands

After you have created failover groups on a Security Appliance, you must assign virtual
context to each group. Using the join-failure-group command within the virtual context subcommand
mode, you can join context 1 to failover group 1, as shown in Example 12-2.
Configuring Failover
To configure failover, you need to become familiar with a few key commands. Table 12-4
shows the commands used to configure and verify failover.
Table 12-3 Failover Sub-Command Mode Commands
Primary Gives higher priority to the primary unit.
secondary Gives higher priority to the secondary unit.
Polltime Interface Specifies interface polling time.
preempt Allows preemption of lower priority active units.
replication http Enables an assigned failover group the ability to replicate over HTTP.
mac address Assigns a virtual MAC address for a physical interface.
show failover This popular command displays the status of the failover
configuration.
Example 12-2 Assigning a Context to a Failover Group
primary-pix (config)# context ctx1
primary-pix (config-ctx)# join-failover-group 1
NOTE All context changes in active-active mode must be done on the active context of
the failover group only

Failover Sub-Command Mode Commands

Failover Sub-Command Mode Commands
Primary Gives higher priority to the primary unit.
secondary Gives higher priority to the secondary unit.
Polltime Interface Specifies interface polling time.
preempt Allows preemption of lower priority active units.
replication http Enables an assigned failover group the ability to replicate over HTTP.
mac address Assigns a virtual MAC address for a physical interface.
show failover This popular command displays the status of the failover
configuration.

Assigning Failover Groups and Priorities

Assigning Failover Groups and Priorities
primary-pix (config)# failover group 1
primary-pix (config-fover-group)# primary
primary-pix (config)# failover group 2
primary-pix (config-fover-group)# secondary
Table 12-3 shows the command used to configure a failover group in failover subcommand
mode.

Active-Active Failover Group Assignment

Active-Active Failover Group Assignment
To configure a failover group, use the following command:
failover group nn
The security administrator must be in multiple-context mode system configuration, with
failover disabled, to access this command. When this command is used, you will be placed
in a failover group subcommand mode, similar to an interface command. With two failover
groups, one must be assigned a higher priority, as shown in Example 12-1. This should be
assigned to the active context on the Security Appliance.

Active-Active Failover Setup

Active-Active Failover Setup
Active-active failover is done at a context basis, compared to active-standby in which failover
is handled on a unit basis. Each Security Appliance monitors any failover peers for failure.
With active-active failover logic, a failure can be unit based or virtual context-based. If a
Security Appliance detects a failure state in a peer, the Security Appliance will gradually
transition the standby context to active. The Security Appliance will then have two active
contexts passing traffic. Failover groups must be active, and the contexts participating in
active-active failover must be grouped together to function properly.
Failover Group
Failover groups are designed to combine one or more contexts into a failover group. A
security appliance uses failover groups to manage virtual contexts as explained in Chapter 9,
“Security Contexts.” A Security Appliance can only support up to two failover groups. Each
failover group in a Security Appliance contains separate state machines that keep track of a
failover group’s contexts failover state.
In Figure 12-2, Context 1 on the primary and secondary Security Appliances are grouped
together into failover Group 1. Context 2 of each Security Appliance is grouped into failover
Group 2.
NOTE Serial cable-based failover can support active-active failover mode.

Active-Active Failover

Active-Active Failover
Prior to version 7.0, a security administrator could only have one Security Appliance actively
passing user traffic, while keeping a second Security Appliance in standby mode, only to be
activated during a failure. With active-active failover, both Security Appliances are active and
passing user traffic, while still acting as standby Security Appliances for each other. This
feature can only be using in conjunction with virtual firewall contexts.
To enable active-active failover, create two virtual contexts in the primary and secondary
Security Appliances participating in active-active failover. In the primary Security Appliance,
virtual context 1 is designated as the active context. Virtual context 2 will be designated as
the standby context. Each context will peer with a context on the secondary Security
Appliance. In Figure 12-1, context 1 on the primary Security Appliance peers with context 2
on the secondary Security Appliance. Context 2 on the secondary Security Appliance is
designated as a standby context for the primary Security Appliance’s context 1.

LAN-Based Failover

LAN-Based Failover
The distance restriction of 6 feet of serial cable between two PIX Firewall devices in a failover
configuration is no longer a limitation starting with Security Appliance software version 6.2.
LAN-based failover is a feature (available only on Security Appliance software version 6.2
or higher) that extends Security Appliance failover functionality to operate through a
dedicated LAN interface without the serial failover cable. This feature provides a choice of
failover configuration on the Security Appliance.
NOTE Cisco does not recommend using a crossover cable for stateful failover. Using a
crossover cable might cause a Security Appliance to incorrectly determine if a failover
event has occurred.
Active-Active Failover 313
The obvious benefit of LAN-based failover is that it removes the 6-foot distance limitation
from the Security Appliance devices in a failover configuration. If the LAN-based failover
command interface link goes down, the Security Appliance notifies the peer through “other”
interfaces, and then the standby unit takes over. If all connectivity between the two Security
Appliance units is lost, both Security Appliance could become active. Therefore, it is best to
use a separate switch for the LAN-based failover command interface, so that a failed switch
will not cause all connectivity to be lost between the two Security Appliance units.
The weakness of LAN-based failover is the delayed detection of its peer power loss,
consequently causing a relatively longer period for failover to occur.
The standby unit in a Security Appliance failover pair can be configured to use a virtual MAC
address. This eliminates potential “stale” ARP entry issues for devices connected to the
Security Appliance failover pair in the unlikely event that both firewalls in a failover pair fail
at the same time

100BASE

However, some state information does not get updated to the standby unit in a stateful
failover:
■ User authentication (uauth) table
■ ISAKMP and the IPSec SA table
■ ARP table
■ Routing information
Most UDP state tables are not transferred, with the exception of dynamically opened ports
that correspond to multichannel protocols such as H.323.
In addition to the failover cable, stateful failover setup requires a 100-Mbps or Gigabit
Ethernet interface to be used exclusively for passing state information between the active and
standby units. IP 105 is used to pass data over this interface.
The stateful failover interface can be connected to any of the following:
■ Category 5 crossover cable directly connecting the primary unit to the secondary unit
■ 100BASE-TX full duplex on a dedicated switch or a switch’s dedicated VLAN
■ 1000BASE-SX full duplex on a switch’s dedicated VLAN
A Cisco Security Appliance with two FDDI cards cannot use stateful failover because an
additional Ethernet interface with FDDI is not supported in stateful failover.
LAN-Based Failover
The distance restriction of 6 feet of serial cable between two PIX Firewall devices in a failover
configuration is no longer a limitation starting with Security Appliance software version 6.2.
LAN-based failover is a feature (available only on Security Appliance software version 6.2
or higher) that extends Security Appliance failover functionality to operate through a
dedicated LAN interface without the serial failover cable. This feature provides a choice of
failover configuration on the Security Appliance.
NOTE Cisco does not recommend using a crossover cable for stateful failover. Using a
crossover cable might cause a Security Appliance to incorrectly determine if a failover
event has occurred.

Stateful Failover

Stateful Failover
In stateful failover mode, more information is shared about the connections that have been
established with the standby unit by the active unit. The active unit shares per-connection
state information with the standby unit. If and when an active unit fails over to the standby
unit, an application does not reinitiate its connection because stateful information from the
active unit updates the standby unit.
Replicated state information includes the following:
■ TCP connection table, including timeout information for each connection
■ Translation (xlate) table and status
■ Negotiated H.323 UDP ports, SIP, and MGCP UDP media connections
■ Port allocation table bitmap for PAT
■ HTTP replication
Because failover cannot be prescheduled, the state update for the connection is packet-based.
This means that every packet passes through the Security Appliance and changes a
connection’s state and triggers a state update.

Configuration Replication

Configuration Replication
Configuration changes, including initial failover configurations to the Cisco Security
Appliance, are done on the primary unit. The standby unit keeps the current configuration
through the process of configuration replication. For configuration replication to occur, the
two Security Appliance units should be running the same software release. Configuration
replication usually occurs when
■ The standby unit completes its initial bootup and the active unit replicates its entire
configuration to the standby unit.
■ Configurations are made (commands) on the active unit and the commands/changes are
sent across the failover cable to the standby unit.
■ Issuing the write standby command on the active unit forces the entire configuration in
memory to be sent to the standby unit.
When the replication starts, the Security Appliance console displays the message Sync
Started. When the replication is complete, the Security Appliance console displays the
message Sync Completed. During the replication, information cannot be entered on the
Security Appliance console.
Stateful Failover 311
The write memory command is important, especially when failover is being configured for
the first time. During the configuration replication process, the configuration is replicated
from the active unit’s running configuration to the running configuration of the standby unit.
Because the running configuration is saved in RAM (which is unstable), you should issue the
write memory command on the primary unit to save the configuration to Flash memory.
In addition to configuration replication, operating system (OS) upgrades are required from
time to time as maintenance releases are deployed by Cisco. Beginning with software version
7.0(1), the zero-downtime software upgrade feature has been added to give an administrator
the ability to perform software upgrades of failover pairs without impacting network uptime
or connections flowing through the units. Security Appliances have the ability to do interversion
state sharing between failover pairs, as long as both pairs use software version 7.0 or
later. Inter-version state sharing makes it possible for an administrator to perform software
upgrades to new maintenance releases without impacting the traffic flow over either Security
Appliance.

Ping test—A broadcast

Ping test—A broadcast ping request is sent out on all interfaces. The unit then counts all
received echo-reply packets for up to 5 seconds. If any packets are received at any time
during this interval on an interface, the interface is considered operational and testing
stops. If no traffic is received, failover takes place.

Address Resolution Protocol

Address Resolution Protocol (ARP) test—The unit’s ARP cache is evaluated for the ten
most recently acquired entries. One at a time, the Security Appliance sends ARP requests
to these machines, attempting to stimulate network traffic. After each request, the unit
counts all received traffic for up to 5 seconds. If traffic is received, the interface is
considered operational. If no traffic is received, an ARP request is sent to the next
machine. If, at the end of the list, no traffic has been received, the ping test begins.

Network activity test

■ Network activity test—The unit counts all received packets for up to 5 seconds. If any
packets are received at any time during this interval, the interface is considered
operational and testing stops. If no traffic is received, the ARP test begins

Link up/down test

■ Link up/down test—If an interface card has a bad network cable or a bad port, is
administratively shut down, or is connected to a failed switch, it is considered failed.

Failover Monitoring

Failover Monitoring
The failover feature in the Cisco Security Appliance monitors failover communication, the
power status of the other unit, and hello packets received at each interface. If two consecutive
hello packets are not received within an amount of time determined by the failover feature,
failover starts testing the interfaces to determine which unit has failed and transfers active
control to the standby unit. At this point, the “active” LED on the front of the standby
Security Appliance lights up and the “active” LED on the failed Security Appliance unit dims.
NOTE The ASA 55x0 Security Appliance family of firewalls does not support the serial
cable for failover.
NOTE The failover poll seconds command enables you to determine how long failover
waits before sending special failover hello packets between the primary and standby units
over all network interfaces and the failover cable. The default is 15 seconds. The minimum
value is 3 seconds, and the maximum is 15 seconds.

Port Fast

Port Fast
Many Cisco switches provide a Port Fast option for switch ports. Configuring this option on
a switch port enables a simplified version of the Spanning Tree Protocol that eliminates
several of the normal spanning-tree states. The preforwarding states are bypassed to more
quickly transition ports into the forwarding states. Port Fast is an option that you can enable
on a per-port basis. It is recommended only for end-station attachments.

Failover Monitoring 309

NOTE With Security Appliance software version 7.0, serial cable failover supports
message encryption.
Failover Monitoring 309
It is also important to examine the labels on each end of the failover cable. One end of the
cable is labeled “primary,” and the other end is labeled “secondary.” To have a successful
failover configuration, the end labeled “primary” should be connected to the primary unit,
and the end labeled “secondary” should be connected to the secondary unit. Changes made
to the standby unit are never replicated to the active unit.
In addition to the hardware and software requirements, it is also important to correctly
configure the switches where the Security Appliances directly connect. Port Fast should be
enabled on all the ports where the Security Appliance interface directly connects, and
trunking and channeling should be turned off. This way, if the Security Appliance’s interface
goes down during failover, the switch does not have to wait 30 seconds while the port is
transitioned from a listening state to a learning state to a forwarding state.
Port Fast
Many Cisco switches provide a Port Fast option for switch ports. Configuring this option on
a switch port enables a simplified version of the Spanning Tree Protocol that eliminates
several of the normal spanning-tree states. The preforwarding states are bypassed to more
quickly transition ports into the forwarding states. Port Fast is an option that you can enable
on a per-port basis. It is recommended only for end-station attachments.
Failover Monitoring
The failover feature in the Cisco Security Appliance monitors failover communication, the
power status of the other unit, and hello packets received at each interface. If two consecutive
hello packets are not received within an amount of time determined by the failover feature,
failover starts testing the interfaces to determine which unit has failed and transfers active
control to the standby unit. At this point, the “active” LED on the front of the standby
Security Appliance lights up and the “active” LED on the failed Security Appliance unit dims.
NOTE The ASA 55x0 Security Appliance family of firewalls does not support the serial
cable for failover

What Is Required for a Failover Configuration?

What Is Required for a Failover Configuration?
The hardware and software for the primary and secondary Security Appliance must match
in the following respects for failover configuration to work properly:
■ Firewall model
■ Software version (which should be the version with unrestricted [UR] licensing)
■ Flash memory size
■ RAM size
■ Activation key
■ Number and type of interfaces
The only additional hardware that is needed to support failover is the failover cable. Both
units in a failover pair communicate through the failover cable. The failover cable is a
modified RS-232 serial link cable that transfers data at 115 kbps. It is through this cable that
the two units maintain the heartbeat network. This cable is not required for LAN-based
failover. Some of the messages communicated over failover cable are
■ Hello (keepalive packets)
■ Configuration replication
■ Network link status
■ State of the unit (active/standby)
■ MAC address exchange
NOTE Failover for 501 and 506E models is not supported.
NOTE With Security Appliance software version 7.0, the requirement for the same
software versions on both the primary and secondary Security Appliances has been
relaxed. Different maintenance levels are permitted for the purpose of hit-less updates.

Possible Failover Event Situations

Possible Failover Event Situations
Failure Condition Reasons That Standby Becomes Active
No Failure Failover active—An administrator can force the standby unit
to change state by using the failover active command, which
causes failover to occur. This is the only situation in which
failover occurs without the primary (active) unit having any
problems. A no failover active command will return the
active unit back to the standby unit.
Power loss or reload Cable errors—The cable is wired so that each unit can
distinguish between a power failure in the other unit and an
unplugged cable. If the standby unit detects that the active
unit is turned off (or resets), it takes active control.
Loss of power—When the primary (active) unit loses power
or is turned off, the standby unit assumes the active role.
PIX Firewall hardware failure Memory exhaustion—If block memory exhaustion occurs
for 15 straight seconds on the active unit the standby unit
becomes the active unit.
Network failure Failover communication loss—If the standby unit does not
hear from the active unit for more than twice the configured
poll time (or a maximum of 30 seconds), and the cable status
is OK, a series of tests is conducted before the standby unit
takes over as active.

What Causes a Failover Event

What Causes a Failover Event?
In a Security Appliance failover configuration, one of the Security Appliances is considered
the active unit, and the other is the standby unit. As their names imply, the active unit
performs normal network functions and the standby unit monitors and is ready to take
control should the active unit fail to perform its functionality. A failover event occurs after a
series of tests determines that the primary (active) unit can no longer continue providing its
services, at which time the standby Security Appliance assumes the role of the primary. The
main causes of failover are shown in Table 12-2.
NOTE If multiple contexts are enabled on a Security Appliance, the Security Appliance
can act as a standby unit for another Security Appliance while acting as an active unit for
traffic flowing through it.

Cisco Security Appliance

Cisco Security Appliance
Failover
Today, most businesses rely heavily on critical application servers that support the
business process. The interruption of these servers due to network device failures or other
causes has a great financial cost, not to mention the irritation such an interruption causes
in the user community. With this in mind, Cisco has designed most of its devices,
including the Security Appliance products (models 515 and up), such that they can be
configured in a redundant or highly available configuration.
The failover feature makes the Cisco Security Appliance a highly available firewall
solution. The purpose of this feature is to ensure continuity of service in case of a failure
on the primary unit.
The failover process requires two Security Appliances—one primary (active mode) and
one secondary (active or standby mode). The idea is to have the primary Security
Appliance handle all traffic from the network and to have the secondary Security
Appliance wait in standby mode in case the primary fails, at which point, it takes over
the process of handling all network traffic. With version 7.0 of the Security Appliance
software, the second Security Appliance can stay in an active mode, allowing both
appliances to act as separate firewalls, while serving as a failover for the other. If a
primary (active) unit fails, the secondary Security Appliance changes its state from
standby mode to active, unless the appliance is in active-active mode, assumes the IP
address and MAC address of the previously active unit, and begins accepting traffic for
it. The new standby unit assumes the IP address and MAC address of the unit that was
previously the standby unit, thus completing the failover process.

cisco system

The “Foundation Summary” provides a convenient review of many key concepts in this
chapter. If you are already comfortable with the topics in this chapter, this summary can help
you recall a few details. If you just read this chapter, this review should help solidify some
key facts. If you are doing your final preparation before the exam, this summary provides a
convenient way to review the day before the exam.
The Security Appliance needs to support some basic routing and switching functionality. This
functionality falls into the following three areas:
■ Ethernet VLAN tagging
■ IP routing
■ Multicast routing
To support traffic from multiple VLANs, the Security Appliance supports 802.1Q tagging
and the configuration of multiple logical interfaces on a single physical interface. For each
logical interface that you establish, you must configure the following parameters:
■ Interface name
■ Security level
■ IP address
For IP routing, the Security Appliance supports both static and dynamic routes. Using the
route command, you can configure static routing information on the Security Appliance. The
Security Appliance also supports dynamic updates from the following two routing protocols:
■ RIP
■ OSPF
With RIP, the Security Appliance can only receive RIP routing updates. It does not support
the capability to propagate those updates to other devices. It can, however, advertise one of
its interfaces as a default route.
Using OSPF, the Security Appliance can actually propagate route information and actively
participate in the OSPF routing protocol. Some of the OSPF functionality supported by the
Security Appliance includes the following:
■ Support for intra-area, interarea, and external routes
■ Support for virtual links


■ Authentication for OSPF packets
■ The capability to configure the Security Appliance as a DR, ABR, and limited ASBR
■ ABR Type 3 LSA filtering
■ Route redistribution
Configuring OSPF on your Security Appliance requires you to perform the following steps:
Step 1 Enable OSPF.
Step 2 Define the Security Appliance interfaces that need to run OSPF.
Step 3 Define OSPF areas.
Step 4 Configure LSA filtering to protect private addresses.
You enable OSPF using the router ospf command. The network command enables you to
define which IP addresses fall into which areas, and which interfaces use OSPF. The prefixlist
and area commands enable you to filter Type 3 LSAs to prevent the Security Appliance
from advertising information about private networks. If you configure your Security
Appliance as an ASBR OSPF router, then using multiple OSPF processes enables you to
perform address filtering.
Finally, you can configure the Security Appliance to operate as a Stub Multicast Router
(SMR). This enables you to support various applications such as remote learning and video
conferencing. The multicast transmission source can be either inside or outside the Security
Appliance. Some of the important multicast configuration commands include the following:
■ multicast interface
■ igmp forward
■ igmp join-group
■ igmp access-group
■ igmp version
■ igmp query-interval
■ igmp query-max-response-time

Commands to Debug Multicast Traffic

Commands to Debug Multicast Traffic
After you configure IP multicasting on your Security Appliance, you may need to debug
multicast traffic to identify configuration problems. Two commands are useful for debugging
multicast traffic:
■ debug igmp—Enables debugging for IGMP events
■ debug mfwd—Enables debugging for multicast forwarding events
NOTE To disable either of these debugging commands, simply place a no in front of the
command (for instance, no debug igmp).

Commands to View the Multicast Configuration

Commands to View the Multicast Configuration
You can use the following commands to view your multicast configuration:
■ show multicast
■ show igmp
■ show mroute
The show multicast command displays the multicast settings for either a specific interface or
all the interfaces. The syntax for this command is as follows:
show multicast [interface interface-name]
If you do not specify an interface, then the information for all the Security Appliance
interfaces is displayed.
The show igmp command displays information about either a specific IGMP group or all the
IGMP groups for a specific interface. The syntax for this command is as follows:
show igmp [group | interface interface-name] [detail]
The final command that you can use to view your multicast configuration is show mroute,
which displays the current multicast routes. Its syntax is as follows:
show mroute [destination [source]]

Debugging Multicast

Debugging Multicast
Not only can you configure IP multicasting, you can also debug the operation of your IP
multicasting configuration. The commands that you use to do so fall into the following two
categories:
■ Commands to view the multicast configuration
■ Commands to debug multicast traffic

Outbound Multicast Configuration

Outbound Multicast Configuration
When the multicast transmission source is on the protected or secure interface of a Security
Appliance, you must specifically configure the Security Appliance to forward the multicast
transmissions. The following configuration steps enable this multicast configuration:
Step 1 Use the multicast interface command to enable multicast forwarding on
each Security Appliance interface.
Step 2 Use the mroute command to create a static route from the multicast
transmission source to the next-hop router interface.
Multicast
Router
Protected
Network
Multicast Traffic
Flow
296 Chapter 11: Routing and the Cisco Security Appliance
Suppose that your multicast router is located at 10.10.10.100 and broadcasting to the
multicast group 230.0.1.100. To get the Security Appliance to forward multicast
transmissions from this multicast router to the outside interface, you would use the following
commands:
pix515a(config)# multicast interface outside
pix515a(config-multicast)# exit
pix515a(config)# multicast interface inside
pix515a(config-multicast)# mroute 10.10.10.100 255.255.255.255
inside 230.0.1.100 255.255.255.255 outside
pix515a(config-multicast)# exit
pix515a(config)#

Outbound Multicast Traffic

Outbound Multicast Traffic
Allowing outbound multicast traffic involves the configuration shown in Figure 11-4. In this
configuration, the multicast transmission source is located inside the Security Appliance and
the hosts that want to receive multicast traffic are not protected by the Security Appliance.

access-group

Step 4 (Optional) Define an access list to define which Class D addresses
(multicast addresses) are allowed to traverse the Security Appliance.
Then, use the igmp access-group command to apply the access list to a
specific interface.
Assume that you want to allow protected hosts to join the multicast group 224.0.1.100 from
a multicast router that is located outside the protected network. To accomplish this, you
would use the following commands:
pix515a(config)# access-list 120 permit udp any host 224.0.1.100
pix515a(config)# multicast interface outside
pix515a(config-multicast)# igmp access-group 120
pix515a(config-multicast)# exit
pix515a(config)# multicast interface inside
pix515a(config-multicast)# igmp forward interface outside
pix515a(config-multicast)# exit

Inbound Multicast Configuration

Inbound Multicast Configuration
Because the hosts that need to receive the multicast traffic are separated from the multicast
router by your Security Appliance, you need to configure the Security Appliance to forward
IGMP reports from the hosts protected by the firewall to the multicast router. You also need
to forward multicast transmissions from the multicast router. The following configuration
steps enable this multicast configuration:
Step 1 Use the multicast routing command to enable multicast processing on a
specific interface and place the interface in multicast promiscuous
mode. This also places the command line in multicast subcommand
mode, designated by the (config-multicast)# prompt.
Step 2 Use the igmp forward command to enable IGMP forwarding on the
interfaces connected to hosts that will receive multicast transmissions.
This also enables the interface to forward all IGMP Host Report and
Leave messages.
Step 3 (Optional) If your network contains clients that cannot respond to
IGMP messages but still require the reception of multicast traffic, you
use the igmp join-group command to statically join the Security
Appliance to the specific multicast group.

Inbound Multicast Traffic

Inbound Multicast Traffic
Allowing inbound multicast traffic involves the configuration shown in Figure 11-3. In this
configuration, the multicast router is located outside the Security Appliance and the hosts
that want to receive multicast traffic are being protected by the Security Appliance.

igmp query-max-response-time Command

igmp query-max-response-time Command
When using IGMP version 2, you can specify the maximum query response time, in seconds,
using igmp query-max-response-time. The default value is 10, but you can configure a value
in the range from 1 to 65,535.
Table 11-15 pim rp-address Command Parameters
Parameter Description
ip-address IP address of a router to be the PIM RP
acl (Optional) The name or number of a standard IP access list that defines with
which multicast groups the RP should be used
bidir (Optional) Indicates that the specified multicast groups are to operate in
bidirectional mode instead of PIM sparse mode
NOTE To set the query interval back to the default value, you use the no igmp
query-max-response-time command.

Failover Group

Failover Group
Failover groups are designed to combine one or more contexts into a failover group. A
security appliance uses failover groups to manage virtual contexts as explained in Chapter 9,
“Security Contexts.” A Security Appliance can only support up to two failover groups. Each
failover group in a Security Appliance contains separate state machines that keep track of a
failover group’s contexts failover state.
In Figure 12-2, Context 1 on the primary and secondary Security Appliances are grouped
together into failover Group 1. Context 2 of each Security Appliance is grouped into failover
Group 2.

pim dr-priority Command

pim dr-priority Command
Using the pim dr-priority command will allow you to change default DR priority assigned to
the Security Appliance. If multiple Security Appliances have the same DR priority, the
Security Appliance with the highest IP address will become the new DR. The complete syntax
for this command is as follows:
pim dr-priority number
where number is used to determine the priority of the device when determining which device
will be the DR. The number can be from 0 to 4,294,967,294. Using 0 will prevent the
Security Appliance from becoming the DR.