Monday, July 04, 2011

ASA Firewall Active/Standby Active/Active

Cisco ASA Active / Standby also known as hot standby


interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut

In the example above I have 3 interfaces configured. The big difference youll notice is that I have a standby ip address defined. This is the IP address the standby unit will use for communications. Next I will start with the failover configuration.

failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover key *****
failover link failover Ethernet0/3
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2

The failover command by itself turns failover on. Without this your primary unit will not attempt to talk to the secondary.

failover lan unit primary tells the ASA that it will be the active unit when it boots up. This is only if the secondary unit is also booting up and a failover poll has not yet completed. If the primary went down due to a power loss and the secondary unit stayed up a manual failover would have to take place.

failover lan interface failover Ethernet0/3 defines the interface that will be used for failover communications. The second “failover” in the command is simply a name I used for the interface.

failover key is used for authentication between the failover units.

failover link failover Ethernet0/3 defines that we want to use e0/3 for stateful failover. Without this no session information would be replicated to the standby unit.

failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2 is used to assign the failover interface a IP address for failover communications.

Thats it for the primary unit. The secondary unit is even easier:


failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2

The unit is defined as the secondary, tell it which interface to use for failover and define the key if necessary and wallah! the rest of the config (interface ip addresses etc…) is transferred over to the secondary unit. You will also need to do a “no shut” on the failover lan interface.

And a quick output of a “show failover”

ciscoasa(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum

Ref: link - http://www.wr-mem.com/?p=110
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml

Cisco ASA Active / Active

Single Box – Multiple Contexts

If there is need for multiple context, the firewall can be configured so. Two (or more) different configurations can share the same physical hardware. They can also share interfaces with some exemptions. Each context can have different administrative profiles configured so that a specific person can configure only one context.
Example: Company A and Company B shares a common firewall. Each company has their specific security policies and are each administered separately.

Dual boxes – Multiple Contexts

By extending the previos scenario with duplicated hardware one can get a redundant solution. With both contexts active on the left hardware this unit will handle all traffic for both of them. In case of a hardware-failure both contexts will become active on the other unit.

Example: The need for high-available firewall-functionality made the company AB to invest in redundant firewalls. They need to have multiple security policies administered by each companys respective IT-department. It all runs in Unit 1, while Unit 2 is configured as a hot-spare.

Dual boxes – Multiple Contexts balanced

If one context is active in one hardware and another context in the other one you will get a load-balanced-ish solution. Normal case is that the left unit handles Department A context and the right unit takes care of all traffic for Department B. In case of a hardware failure on either unit, the context(s) that were active in the failed unit “moves” to the other hardware.

Scenario: To gain performance company AB have distributed the placement of each contexts active unit. The left unit takes care of Department A:s context and the left one handles the context of Department B. Each unit is hot-spare for respective context.

Important notes:

  • The only case when “active/active” can be built is when you have multiple contexts.
  • There is no load-sharing done “within” a context. That means that if traffic going thru the green context it will suck all resources out of the left unit without any “help” from the right unit.
  • These multiple-contexts-scenarios also applies to when having more than two contexts. For example, if there are 5 contexts, 0, 1, 2, 3, 4 or five of them can be active in each unit. It´s all configurable. This configuration is done by putting contexts in failover-groups and this config is the only difference between the two last scenarios above.

    • Final words:

    A Cisco ASA-solution without multiple contexts can never be active/active.

Ref: link - http://blogg.kvistofta.nu/cisco-asa-activeactive-failover/

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)