Scribd Logo
Upload

Welcome to Scribd!

  • CCIE Security: 350-018: High Availability Solution

    Uploaded by

    helloshifin
    20 views10 pages

    Original Title

    HA

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views10 pages

    CCIE Security: 350-018: High Availability Solution

    Uploaded by

    helloshifin

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    CCIE Security: 350-018

    High Availability Solution


    High Availability Solution

    ❖ Information about High Availability


    This chapter provides an overview of the failover features that enable you to achieve high availability
    on the Cisco 5500 series adaptive security appliances.

    ❖ About Failover and High Availability with Firewall


    Failover definition: - Failover is a backup operational mode in which the functions of a system
    component (such as a processor, server, network, or database, for example) are assumed by secondary
    system components when the primary component becomes unavailable through either failure or
    scheduled down time.
    This can be operated in a redundant manner or in a standby operational mode upon the failure of a
    primary server.

    Purpose: - The main purpose of failover is to eliminate, or at least reduce, the impact on users when a
    system failure occurs.

    ❖ There are three scenarios with ASA firewall where Failover can occur
    1. Interface level Redundancy.
    2. ISP Level Redundancy.
    3. Hardware Level Redundancy.
    a. Active Standby Failover
    b. Active Active Failover

    ❖ Terms of High Availability


    Role: - Active/standby (can change)
    Priority: - Primary/ secondary (Fix)

    1
    1. Interface Level Redundancy= Here we use multiple interfaces where 1 interface is active
    and other remains standby. If active goes down standby becomes active.

    2
    1. Interface level Redundancy

    !ON R1 !ON R2
    en en
    conf t conf t
    int f0/0 int f 0/0
    ip add 10.11.11.1 255.255.255.0 ip add 192.1.20.2 255.255.255.0
    no sh no sh
    exit exit
    ip route 0.0.0.0 0.0.0.0 10.11.11.10 ip route 0.0.0.0 0.0.0.0 192.1.20.10
    ! !
    !ON R3
    en
    conf t
    int f0/0
    ip add 192.168.30.3 255.255.255.0
    no sh
    exit
    ip route 0.0.0.0 0.0.0.0 192.168.30.10
    !

    3
    !ON ASA VERIFICATION:-
    conf t Show interface ip brief
    hostname ASA
    !1. Bring up the physical interfaces show interface = output
    int e0 Interface Ethernet0 "", is up, line protocol is up
    no shut Hardware is i82559, BW 100 Mbps, DLY 100 usec
    exi Auto-Duplex(Full-duplex), Auto-Speed(100
    int e1 Mbps)
    no shut Active member of Redundant1
    exi MAC address 00ab.bffb.c400, MTU not set
    IP address unassigned
    !2. Create a Redundant interface 32 packets input, 0 bytes, 0 no buffer
    Received 2 broadcasts, 0 runts, 0 giants
    interface redundant 1
    member-interface e0 Interface Ethernet1 "", is up, line protocol is up
    member-interface e1 Hardware is i82559, BW 100 Mbps, DLY 100 usec
    nameif inside Auto-Duplex(Full-duplex), Auto-Speed(100
    ip add 10.11.11.10 255.255.255.0 Mbps)
    exit Standby member of Redundant1
    ! MAC address 00ab.bffb.c401, MTU not set
    redundant-interface redundant 1 active-member e1 IP address unassigned
    ! 18 packets input, 0 bytes, 0 no buffer
    Int e2 Received 2 broadcasts, 0 runts, 0 giants
    Nameif outside
    Ip add 192.1.20.10 show run interface redundant 1
    No sh !
    Exit interface Redundant1
    ! member-interface Ethernet0
    Int e3 member-interface Ethernet1
    Nameif dmz nameif inside
    Security-50 security-level 100
    Ip add 192.168.30.10 ip address 10.11.11.10 255.255.255.0
    No sh From R1 ping R2
    Exit Now shutdown E1 interface of ASA and ping from
    ! R1 to R2 & do show interface and check above
    sho interface outputs
    show run interface redundant 1
    sho int ip bri

    NOTE: If interface E1 goes down E0 becomes Active & when E1 comes up it remains in standby till E0 goes
    down

    4
    Compression between both interfaces. Here E1 interface is down and E0 is active
    ASA(config)# sh interface ASA(config-if)# sh interface
    Interface Ethernet0 "", is up, line protocol is up Interface Ethernet0 "", is up, line protocol is up
    Hardware is i82559, BW 100 Mbps, DLY 100 usec Hardware is i82559, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Standby member of Redundant1 Active member of Redundant1
    MAC address 00ab.bffb.c401, MTU not set MAC address 00ab.bffb.c400, MTU not set
    IP address unassigned IP address unassigned
    1 packets input, 128 bytes, 0 no buffer 1 packets input, 128 bytes, 0 no buffer
    Received 3 broadcasts, 0 runts, 0 giants Received 3 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    1 L2 decode drops 1 L2 decode drops
    0 packets output, 64 bytes, 0 underruns 1 packets output, 64 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets 0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred 0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier 0 lost carrier, 0 no carrier
    input queue (curr/max packets): hardware (0/1) software (0/2) input queue (curr/max packets): hardware (0/1) software (0/2)
    output queue (curr/max packets): hardware (0/1) software output queue (curr/max packets): hardware (0/2) software
    (0/1) (0/1)
    Interface Ethernet1 "", is up, line protocol is up Interface Ethernet1 "", is administratively down, line protocol is up
    Hardware is i82559, BW 100 Mbps, DLY 100 usec Hardware is i82559, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Active member of Redundant1 Standby member of Redundant1
    MAC address 00ab.bffb.c400, MTU not set MAC address 00ab.bffb.c401, MTU not set
    IP address unassigned IP address unassigned
    0 packets input, 192 bytes, 0 no buffer 1 packets input, 192 bytes, 0 no buffer
    Received 3 broadcasts, 0 runts, 0 giants Received 3 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    3 L2 decode drops 3 L2 decode drops
    1 packets output, 0 bytes, 0 underruns 1 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets 0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred 0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier 0 lost carrier, 0 no carrier
    input queue (curr/max packets): hardware (0/1) software (0/2) input queue (curr/max packets): hardware (0/1) software (0/2)
    output queue (curr/max packets): hardware (0/2) software (0/1) output queue (curr/max packets): hardware (1/2) software
    (0/1)

    5
    Physical Topology

    Logical Topology

    6
    ISP Level Redundancy
    !on R1 !ON R2
    en EN
    conf t conf t
    int f 0/0 int f0/0
    ip add 10.12.12.1 255.255.255.0 ip add 130.12.12.2 255.255.255.0
    no sh no sh
    exit exit
    ip route 0.0.0.0 0.0.0.0 10.12.12.10 int f 0/1
    ! ip add 124.4.4.2 255.255.255.0
    no sh
    exit
    ip route 4.2.2.0 255.255.255.0 124.4.4.4
    ip route 10.12.12.0 255.255.255.0 130.12.12.10
    !
    !ON R3 !ON R4
    en en
    conf t conf t
    int f 0/0 int f0/0
    ip add 150.10.10.3 255.255.255.0 ip add 124.4.4.4 255.255.255.0
    no sh no sh
    exit int f0/1
    int f0/1 ip add 134.4.4.4 255.255.255.0
    ip add 134.4.4.3 255.255.255.0 no sh
    no sh exit
    exit int loo 1
    ip route 4.2.2.0 255.255.255.0 134.4.4.4 ip add 4.2.2.2 255.255.255.0
    ! exi
    !
    ip route 130.12.12.0 255.255.255.0 124.4.4.2
    ip route 150.10.10.0 255.255.255.0 134.4.4.3
    !
    !ON ASA Verification:-
    int e1 ASA# ping 4.2.2.2
    nameif inside
    ip add 10.12.12.10 255.255.255.0 Shutdown interface e2 and
    no sh ASA# ping 4.2.2.2
    exit
    int e2 Use traceroute command to check different paths.
    nameif outside
    ip add 130.12.12.10 255.255.255.0
    no sh
    exit
    int e3
    nameif backup
    ip add 150.10.10.10 255.255.255.0
    no sh
    exit
    route outside 0 0 130.12.12.2
    route backup 0 0 150.10.10.3 2
    !
    7
    sla monitor 1
    type echo protocol ipIcmpEcho 4.2.2.2 interface outside
    timeout 3
    frequency 5
    exit
    !
    sla monitor schedule 1 life forever start-time now
    !
    track 2 rtr 1 reachability
    route outside 0 0 130.12.12.2 track 2
    !
    Note:- After using track command firewall will keep on tracking 4.2.2.2 VIA outside interface.
    R4 will receive icmp echo packet in every 5 seconds

    !R4
    R4#debug ip icmp

    !ON ASA
    Check Route & traffic must be passing through outside interface.

    Verification:-
    8
    !ON R2
    now "shut" int f0/1 of R2
    Note:- R4 will stop receiving ICMP packets from ASA,

    from ASA
    ping 4.2.2.2
    it should ping with backup route
    if backup route is not being installed remove
    no route outside 0.0.0.0 0.0.0.0 130.12.12.1 1
    Than try. it is due to frequency and time delay
    Route is not getting switched instantly.

    ASA#show track
    ASA#sh sla monitor operational-state 2

    You might also like