All Cisco-Network Study Notes: Configuring and Enabling Failover

Configuring and Enabling Failover

Failover agreement is aboveboard and does not crave abounding commands.

In this section, we analysis a case study, configuring accepted failover footfall by step.

At anniversary footfall of the configuration, we use appearance commands to analysis the status.

The arrangement cartography is apparent in Figure 8.1. In this example, PIX1 is the

primary firewall, and PIX2 is the accessory firewall.There are two interfaces in

use, ethernet0 (outside) and ethernet1 (inside).

Before we start, we bung in the failover cable, actuality accurate to affix the primary

end into the primary firewall and the accessory end into the accessory firewall.

Each interface on the primary firewall additionally needs to be affiliated to the

corresponding interface on the accessory firewall through either a about-face or a

crossover cable. In this example, we are application Layer 2 switches, and all the ports

on anniversary about-face are on the aforementioned VLAN.We additionally accomplish abiding that all the switches

are configured and powered on and that all Ethernet cables are acquainted in correctly.

We leave the accessory firewall powered off, and we about-face on the primary

firewall. Next, we configure the alarm on the primary firewall application the clock

command.

www.syngress.com

Figure 8.1 Accepted Failover Example

Internal Network

e0 e0

e1 e1

Failover consecutive cable

PIX1 PIX2

Internet

424 Chapter 8 • Configuring Failover

NOTE

Do not ability on the accessory firewall until the primary firewall is fully

configured.

Cisco recommends that back you use failover, no arrangement interface should

be set for autonegotiation. In added words, do not use the auto or 1000auto keywords

in your interface agreement commands. Anniversary interface complex in

failover should be hardcoded for acceleration and bifold settings application the 10baset,

100basetx, 100full, 1000basesx, or 1000sxfull keywords. Accomplish abiding that these settings

match the hub or about-face to which the interface is connected. In our

example, we are application all 100Mbps interfaces, so we will hardcode the interfaces

to 100Mbps full-duplex operation:

PIX1(config)# interface ethernet0 100full

PIX1(config)# interface ethernet1 100full

Of course, we additionally configured our switches for 100Mbps abounding duplex. Before

enabling failover, we charge aboriginal accredit IP addresses to anniversary interface on the primary

firewall:

PIX1(config)# ip abode central 192.168.1.1 255.255.255.0

PIX1(config)# ip abode alfresco 10.5.1.1 255.255.255.0

To verify the IP addresses, use the appearance ip abode command:

PIX1# appearance ip address

System IP addresses:

ip abode alfresco 10.5.1.1 255.255.255.0

ip abode central 192.168.1.1 255.255.255.0

Current IP addresses:

ip abode alfresco 10.5.1.1 255.255.255.0

ip abode central 192.168.1.1 255.255.255.0

At this point, the accepted IP addresses on the primary firewall should be the

same as the arrangement IP addresses.When failover occurs, the accepted IP addresses

will change to the failover IP addresses. Before we dive into the configuration,

let’s use the appearance failover command to analysis the accepted failover status:

PIX1# appearance failover

Failover Off

www.syngress.com

Configuring Failover • Chapter 8 425

Cable status: Added ancillary powered off

Reconnect abeyance 0:00:00

Poll abundance 15 seconds

As apparent in the aboriginal band in the command output, failover is currently not

enabled.The additional band in the command achievement shows us that the added end

of the failover cable is affiliated accurately and that the accessory firewall is

powered off.

To accredit failover, we use the failover command on the primary firewall:

PIX1(config)# failover

Now we can use the appearance failover command on the primary firewall to verify

that failover is enabled and that it is acting as the alive firewall (see Figure 8.2).

Figure 8.2 Achievement of the appearance failover Command After Enabling Failover

PIX1# appearance failover

Failover On

Cable status: Added ancillary powered off

Reconnect abeyance 0:00:00

Poll abundance 15 seconds

This host: primary - Active

Active time: 60 (sec)

Interface alfresco (10.5.1.1): Normal (Waiting)

Interface central (192.168.1.1): Normal (Waiting)

Other host: accessory - Standby

Active time: 0 (sec)

Interface alfresco (0.0.0.0): Unknown (Waiting)

Interface central (0.0.0.0): Unknown (Waiting)

As apparent in the command achievement here, the fifth band reads, “This host: primary

– Active,” which agency that you are on the primary firewall and it is active

for failover. Next, we configure the failover IP addresses application the failover ip

address command.This needs to be done for anniversary interface. Normally, in an

unfailed state, these IP addresses will be assigned to their agnate interfaces

of the standby unit. Accomplish abiding that failover IP addresses are in the aforementioned subnet as

the alive IP addresses:

www.syngress.com

426 Chapter 8 • Configuring Failover

PIX1(config)# failover ip abode central 192.168.1.2

PIX1(config)# failover ip abode alfresco 10.5.1.2

We can use the appearance failover command on the primary firewall afresh to verify

the cachet of the failover IP addresses (see Figure 8.3). As you can see from the

output of the command, beneath “Other host,” the accessory firewall now has IP

addresses for anniversary interface.

Figure 8.3 Achievement of the appearance failover Command After Configuring Failover

IP Addresses

PIX1# appearance failover

Failover On

Cable status: Added ancillary powered off

Reconnect abeyance 0:00:00

Poll abundance 15 seconds

This host: primary - Active

Active time: 300 (sec)

Interface accompaniment (172.16.1.1): Normal (Waiting)

Interface alfresco (10.5.1.1): Normal (Waiting)

Other host: accessory - Standby

Active time: 0 (sec)

Interface accompaniment (172.16.1.2): Unknown (Waiting)

Interface alfresco (10.5.1.2): Unknown (Waiting)

At this point, failover agreement is complete.Yes, it was that simple! We

now charge to ability on the accessory firewall. After the accessory firewall boots

up, the primary will ascertain it and will alpha to accord the configurations.You

will see the afterward bulletin on the console:

Sync Started

Once the synchronization is complete, you will see:

Sync Completed

We can use the appearance failover command on the primary firewall to verify the

status (see Figure 8.4).

www.syngress.com

Configuring Failover • Chapter 8 427

Figure 8.4 Achievement of the appearance failover Command After Completing the

Configuration

PIX1# appearance failover

Failover On

Cable status: Normal

Reconnect abeyance 0:00:00

Poll abundance 15 seconds

This host: primary - Active

Active time: 350 (sec)

Interface accompaniment (172.16.1.1): Normal

Interface alfresco (10.5.1.1): Normal

Other host: accessory - Standby

Active time: 0 (sec)

Interface accompaniment (172.16.1.2): Normal

Interface alfresco (10.5.1.2): Normal

As apparent in the command output, the Unknown cachet has afflicted to Normal.

The cable cachet additionally displays as Normal, acceptation that failover is operating normally.

This is the achievement that you usually appetite to see on your primary firewall.

Now let’s accredit the stateful failover affection on these firewalls. First, we must

set up a committed arrangement articulation amid the two firewalls that will be acclimated for

exchanging accompaniment information. As apparent in Figure 8.5, we accept called ethernet2

on anniversary firewall for this action and accept affiliated a about-face amid the interface

on both firewalls. (We could additionally accept acclimated a crossover cable instead of using

a switch.)

We charge to configure the interface settings for ethernet2, accord it a name (we

picked the name state), and accredit arrangement and failover IP addresses:

PIX1(config)# nameif ethernet2 accompaniment security25

PIX1(config)# interface ethernet2 100full

PIX1(config)# ip abode accompaniment 172.16.1.1 255.255.255.0

PIX1(config)# failover ip abode accompaniment 172.16.1.2

PIX2(config)# nameif ethernet2 accompaniment security25

PIX2(config)# interface ethernet2 100full

www.syngress.com

428 Chapter 8 • Configuring Failover

After the interface is configured, there is alone a distinct command to access to

make this the stateful failover interface:

PIX1(config)# failover articulation state

NOTE

The stateful failover interface (ethernet2 in our example) charge accept its

MTU set to 1500 bytes or larger.

You can verify stateful failover operation application the appearance failover command (see

Figure 8.6).

Figure 8.6 Achievement of the appearance failover Command After Enabling Stateful

Failover

PIX1# appearance failover

Failover On

Cable status: Normal

www.syngress.com

Figure 8.5 Accepted Stateful Failover Example

Internal Network

e0 e0

e1 e1

e2 e2

Failover consecutive cable

PIX1 PIX2

Internet

Continued

Configuring Failover • Chapter 8 429

Reconnect abeyance 0:00:00

Poll abundance 3 seconds

This host: Primary - Active

Active time: 400 (sec)

Interface accompaniment (172.16.1.1): Normal

Interface alfresco (10.5.1.1): Normal

Interface central (192.168.1.1): Normal

Other host: Accessory - Standby

Active time: 0 (sec)

Interface accompaniment (172.16.1.2): Normal

Interface alfresco (10.5.1.2): Normal

Interface central (192.168.1.2): Normal

Stateful Failover Logical Update Statistics

Link : intf3

Stateful Obj xmit xerr rcv rerr

General 3 0 3 0

sys cmd 3 0 3 0

up time 0 0 0 0

xlate 0 0 0 0

tcp conn 0 0 0 0

udp conn 0 0 0 0

ARP tbl 0 0 0 0

RIP Tbl 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 3

Xmit Q: 0 1 3

As you can see, there are some added curve of output.These added curve show

stateful failover statistics in abundant detail.