Меню

Cisco asa active standby failover настройка

Cisco ASA failover

Материал из Xgu.ru

Данная страница находится в разработке.
Эта страница ещё не закончена. Информация, представленная здесь, может оказаться неполной или неверной.

Если вы считаете, что её стоило бы доработать как можно быстрее, пожалуйста, скажите об этом.

Содержание

[править] Принципы работы

Когда две ASA настроены для работы в режиме Active/Active failover, нельзя включить IPsec VPN или SSL VPN. Так же не доступна динамическая маршрутизация. VPN failover доступен только для режима работы Active/Standby.

[править] Режимы работы

[править] Failover link

Любой Ethernet-интерфейс может использоваться в качестве failover-интерфейса, однако нельзя указывать интерфейс, на котором уже задано имя интерфейса.

Failover-интерфейс не настраивается как обычный интерфейс для передачи данных, он существует только для коммуникаций связанных с failover (он может использоваться в качестве stateful failover link).

[править] Stateful failover link

Для того чтобы использовать возможности Stateful Failover, надо настроить stateful failover link для передачи информации о состоянии соединений.

Возможны такие варианты выбора stateful failover link:

[править] Синхронизация команд

Команды, которые синхронизируются на standby unit:

Команды, которые не синхронизируются на standby unit:

[править] ASA Active/Standby failover

[править] ASA Modules Failover

ASA должны быть с одинаковыми моделями модулей.

[править] Настройка Primary ASA

[править] Настройка standby-адресов

Если ASA работает в режиме routed, то надо настроить standby-адреса на интерфейсах ASA (active-адрес и standby-адрес должны быть из одной сети):

Если ASA работает в режиме transparent, то надо настроить standby-адрес для управляющего интерфейса (active-адрес и standby-адрес должны быть из одной сети):

[править] Настройка роли primary

Указать, что эта ASA выполняет роль primary unit:

[править] Настройка failover-интерфейса

Указать какой интерфейс будет использоваться для failover:

Например, интерфейс g 0/2 будет выполнять роль failover-интерфейса и будет называться failover:

Назначить active и standby IP-адреса на failover-интерфейс:

Включить интерфейс, который будет выполнять роль failover-интерфейса:

[править] Настройка stateful failover-интерфейса

Если необходимо использовать stateful failover, то, кроме предыдущих настроек, необходимо настроить stateful failover-интерфейс.

Указать какой интерфейс будет использоваться в качестве stateful failover-интерфейса:

Если, например, в качестве stateful failover-интерфейса будет использоваться failover-интерфейс, то достаточно указать имя интерфейса:

[править] Включение failover

[править] Настройка Secondary ASA

Удалить существующую конфигурацию

[править] Настройка failover-интерфейса

Указать какой интерфейс будет использоваться для failover:

Например, интерфейс g 0/2 будет выполнять роль failover-интерфейса и будет называться failover:

Назначить active и standby IP-адреса на failover-интерфейс (команда должна в точности повторять команду введенную на primary ASA):

Включить интерфейс, который будет выполнять роль failover-интерфейса:

[править] Настройка роли secondary

Указать, что эта ASA выполняет роль secondary unit:

[править] Включение failover

[править] Проверка failover

Зайти telnet, ssh или подобное

Перегрузить primary ASA

Возвращаем primary в состояние active:

[править] ASA Active/Active failover

[править] Настройка Primary ASA

Перевести в режим нескольких контекстов:

Настройка failover интерфейса:

Настройка statefull, key, group:

[править] Настройка context

Указание административного контекста:

При настройке контекста обязательно необходимо указать:

Настройка контекста adm:

Настройка CTX1 context

Просмотреть информацию о созданных контекстах:

Посмотреть файлы записанные конфигурации:

Перейти в контекст CTX1:

Настройка интерфейсов в контексте CTX1:

Источник

Failover на Cisco ASA

Read the article FAILOVER ON CISCO ASA in English

Перед тем, как настраивать резервирование на Cisco ASA (режим failover) необходимо четко понять следующее:

Я сознательно умалчиваю об исключениях из этих правил, дабы свести к минимуму возможные дальнейшей проблемы с настройкой.

Обратите внимание!
В вопросе настройке failover не так важны строки конфигурации, как последовательность их ввода и подключения двух Cisco ASA друг к другу.

Шаг 0. Проверка

Удостоверьтесь, что версии IOS на обоих устройствах идентичны, а также поддерживают режим failover. Для этого используйте команду « sh ver »
FW-DELTACONFIG-1# sh ver
Cisco Adaptive Security Appliance Software Version 9.4(2)6
.
Failover : Enabled
.
Если IOS различаются, то обновите версию на одном из устройств.

Шаг 1. Выбор интерфейса для синхронизации

Шаг 2.

Включите режим failover на Cisco ASA №1
FW-DELTACONFIG (config)#
failover
failover lan unit primary
failover lan interface STATE GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover link STATE GigabitEthernet0/3
failover interface ip STATE 10.0.0.1 255.255.255.252 standby 10.0.0.2

Шаг 3. Подготовка Cisco ASA №2

Перед тем, как настраивать Cisco ASA №2, полностью очистите конфигурацию и отключите от устройства все провода.
FW-DELTACONFIG (config)#
clear configure all

Шаг 4. Настройка Cisco ASA №2

failover
failover lan unit secondary
failover lan interface STATE GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover link STATE GigabitEthernet0/3
failover interface ip STATE 10.0.0.1 255.255.255.252 standby 10.0.0.2
После этого сохраните конфигурацию и выключите устройство из сети питания.
FW-DELTACONFIG (config)#
write

Шаг 5. Подключение

Шаг 6. Проверка работы failover

Важно!

Алгоритм работы failover
1) При включении Cisco ASA проверяет наличие соседей и, если таковой имеется, берет на себя роль Standby, при этом полностью копирует текущую конфигурацию с активного устройства и переходит в ждущий режим.

2) Если соседей не найдено, то Cisco ASA переходит в состояние Active и работает как отдельно стоящее устройство.

3) Если все настроено корректно и состояние межсетевых экранов выглядит как Active/Standby, то переключение ролей происходит в следующих случаях:

— ручное переключение из консоли активного устройства через команду «no failover active». Устройства меняются ролями и трафик начинает идти через соседнее устройство.
— автоматическое переключение на соседнее устройство, если на активном устройстве выйдет из строя хотя бы один из интерфейсов. Если точно такой же интерфейс уже был неактивен на Standby устройстве, то переключения не произойдет

Важно!

Важно!

Primary и Secondary – исключительно номера устройств. Они не имеют особого значения.
Active и Standby – роли устройств. Имеют определяющее значение и указывают на устройство, которое на данный момент работает с трафиком.

Для справки:
Обычно возникает вопрос: Как подключить канал от оператора связи сразу в оба межсетевых экрана? Каким образом сделать из одного провода два?
Очень просто – используйте коммутатор. Возьмите существующее оборудование, подключив Cisco ASA №2 к портам с такими же настройками Vlan, что и на потах, куда подключен Cisco ASA №1 или возьмите дополнительное устройство.
Достаточно самого простого коммутатора на 8 портов за 10$ — 20$. Подключите провод от провайдера в порт 1, а порты 2 и 3 соедините с обоими Cisco ASA. Этот вариант дешев, прост и понятен. В случае выхода из строя коммутатора его элементарно заменить за 5 минут на любой другой подобный. Один такой коммутатор требуется на каждый общий интерфейс.
Если позволяют финансы и бюджет, то для надежности я посоветую использовать коммутатор Cisco 2960, создав на нем нужное количество Vlan для каждого из интерфейсов на Cisco ASA.

Важно!

Не забудьте сохранить конфигурацию на Active устройстве командой write или copy run start. Иначе после перезагрузки все изменения будут потеряны.
FW-DELTACONFIG-1# write
Building configuration.
[OK]

Источник

Cisco ASA Series CLI Configuration Guide, 9.0

Book Title

Cisco ASA Series CLI Configuration Guide, 9.0

Chapter Title

Configuring Active/Active Failover

View with Adobe Reader on a variety of devices

Results

Chapter: Configuring Active/Active Failover

Configuring Active/Active Failover

This chapter describes how to configure Active/Active failover and includes the following sections:

Information About Active/Active Failover

This section describes Active/Active failover. This section includes the following topics:

Active/Active Failover Overview

Active/Active failover is only available to ASAs in multiple context mode. In an Active/Active failover configuration, both ASAs can pass network traffic.

The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group rather than the unit. When an active failover group fails, it changes to the standby state while the standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby state take over the standby MAC and IP addresses.

Note A failover group failing on a unit does not mean that the unit has failed. The unit may still have another failover group passing traffic on it.

When creating the failover groups, you should create them on the unit that will have failover group 1 in the active state.

Note Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.

Primary/Secondary Status and Active/Standby Status

As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit, and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate which unit becomes active when both units start simultaneously. Instead, the primary/secondary designation does two things:

Note The ASA also provides load balancing, which is different from failover. Both failover and load balancing can exist on the same configuration. For information about load balancing, see the “Configuring Load Balancing” section.

Which unit each failover group becomes active on is determined as follows:

– You manually force a failover.

– You configured preemption for the failover group, which causes the failover group to automatically become active on the preferred unit when the unit becomes available.

Device Initialization and Configuration Synchronization

Configuration synchronization occurs when one or both units in a failover pair boot. The configurations are synchronized as follows:

When the replication starts, the ASA console on the unit sending the configuration displays the message “ Beginning configuration replication: Sending to mate,” and when it is complete, the ASA displays the message “End Configuration Replication to mate.” During replication, commands entered on the unit sending the configuration may not replicate properly to the peer unit, and commands entered on the unit receiving the configuration may be overwritten by the configuration being received. Avoid entering commands on either unit in the failover pair during the configuration replication process. Depending upon the size of the configuration, replication can take from a few seconds to several minutes.

On the unit receiving the configuration, the configuration exists only in running memory. To save the configuration to flash memory after synchronization enter the write memory all command in the system execution space on the unit that has failover group 1 in the active state. The command is replicated to the peer unit, which proceeds to write its configuration to flash memory. Using the all keyword with this command causes the system and all context configurations to be saved.

Note Startup configurations saved on external servers are accessible from either unit over the network and do not need to be saved separately for each unit. Alternatively, you can copy the contexts configuration files from the disk on the primary unit to an external server, and then copy them to disk on the secondary unit, where they become available when the unit reloads.

Command Replication

After both units are running, commands are replicated from one unit to the other as follows:

Note A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit.

Failure to enter the commands on the appropriate unit for command replication to occur causes the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs.

Table 1-1 lists the commands that are and are not replicated to the standby unit.

Table 1-1 Command Replication

All forms of the copy command except for copy running-config startup-config

copy running-config startup-config

All forms of the write command except for write memory

You can use the write standby command to resynchronize configurations that have become out of sync. For Active/Active failover, the write standby command behaves as follows:

Note If there are security contexts in the active state on the peer unit, the write standby command causes active connections through those contexts to be terminated. Use the failover active command on the unit providing the configuration to make sure all contexts are active on that unit before entering the write standby command.

Replicated commands are not saved to the flash memory when replicated to the peer unit. They are added to the running configuration. To save replicated commands to flash memory on both units, use the write memory or copy running-config startup-config command on the unit that you made the changes on. The command is replicated to the peer unit and cause the configuration to be saved to flash memory on the peer unit.

Failover Triggers

In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:

Failover is triggered at the failover group level when one of the following events occurs:

You configure the failover threshold for each failover group by specifying the number or percentage of interfaces within the failover group that must fail before the group fails. Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it is possible for all interfaces in a single context to fail without causing the associated failover group to fail.

See the “Failover Health Monitoring” section for more information about interface and unit monitoring.

Failover Actions

In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, then failover group 2 remains active on the primary unit while failover group 1 becomes active on the secondary unit.

Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.

Table 1-2 shows the failover action for each failure event. For each failure event, the policy (whether or not failover occurs), actions for the active failover group, and actions for the standby failover group are given.

Table 1-2 Failover Behavior for Active/Active Failover

A unit experiences a power or software failure

Become standby Mark as failed

Mark active as failed

When a unit in a failover pair fails, any active failover groups on that unit are marked as failed and become active on the peer unit.

Interface failure on active failover group above threshold

Mark active group as failed

Interface failure on standby failover group above threshold

Mark standby group as failed

When the standby failover group is marked as failed, the active failover group does not attempt to fail over, even if the interface failure threshold is surpassed.

Formerly active failover group recovers

Unless failover group preemption is configured, the failover groups remain active on their current unit.

Failover link failed at startup

If the failover link is down at startup, both failover groups on both units become active.

Stateful Failover link failed

State information becomes out of date, and sessions are terminated if a failover occurs.

Failover link failed during operation

Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.

Optional Active/Active Failover Settings

You can configure the following Active/Standby failover options when you initially configuring failover or after failover has been configured:

Licensing Requirements for Active/Active Failover

The following table shows the licensing requirements for this feature:

Prerequisites for Active/Active Failover

ASA 5510, ASA 5512-X

Security Plus License.

In Active/Active failover, both units must have the following:

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mo de Guidelines

Supported in multiple context mode only.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

IPv6 failover is supported.

Active/Active failover is not available on the Cisco ASA 5505.

Additional Guidelines and Limitations

No two interfaces in the same context should be configured in the same ASR group.

Configuring port security on the switch(es) connected to an ASA failover pair can cause communication problems when a failover event occurs. This is because if a secure MAC address configured or learned on one secure port moves to another secure port, a violation is flagged by the switch port security feature.

ASA failover replication fails if you try to make a configuration change in two or more contexts at the same time. The workaround is to make configuration changes on each unit sequentially.

The following features are not supported for Active/Active failover:

Configuring Active/Active Failover

This section describes how to configure Active/Active failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.

This section includes the following topics:

Task Flow for Configuring Active/Active Failover

To configure Active/Active Failover, perform the following steps:

Step 1 Configure the primary unit, as shown in the “Configuring the Primary Failover Unit” section.

Step 2 Configure the secondary unit, as shown in the “Configuring the Secondary Failover Unit” section.

Step 3 (Optional) Configure optional Active/Active failover settings, as shown in the “Optional Active/Active Failover Settings” section.

Configuring the Primary Failover Unit

Follow the steps in this section to configure the primary unit in an Active/Active failover configuration. These steps provide the minimum configuration needed to enable failover on the primary unit.

Restrictions

Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step.

Prerequisites


Detailed Steps

failover lan unit primary

Designates the unit as the primary unit.

failover lan interface if_name phy_if

hostname(config)# failover lan interface folink GigabitEthernet0/3

Specifies the interface to be used as the failover interface.

The if_name argument assigns a name to the interface specified by the phy_if argument.

The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASASM, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the Stateful Failover link).

failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ]

hostname(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

hostname(config)# failover interface ip folink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71

Assigns the active and standby IP addresses to the failover link. You can assign either an IPv4 or an IPv6 address to the interface. You cannot assign both types of addresses to the failover link.

The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.

The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.

failover link if_name phy_if

hostname(config)# failover link folink GigabitEthernet0/2

(Optional) Specifies the interface to be used as the Stateful Failover link.

Note If the Stateful Failover link uses the failover link or a data interface, then you only need to supply the if_name argument.

The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASASM, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the failover link).

failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ]

hostname(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2

hostname(config)# failover interface ip statelink 2001:a1a:b00::a0a:a70/64 standby 2001:a1a:b00::a0a:a71

(Optional) Assigns an active and standby IP address to the Stateful Failover link. You can assign either an IPv4 or an IPv6 address to the interface. You cannot assign both types of addresses to the Stateful Failover link.

Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have already defined the active and standby IP addresses for the interface.

The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.

The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit.

hostname(config)# interface GigabitEthernet 0/3

hostname(config-if)# no shutdown

Enables the interface.

Note If the Stateful Failover link uses the failover link or regular data interface, skip this step. You have already enabled the interface.

hostname(config)# failover group 1

hostname(config)# failover group 2

Configures the failover groups.

You can have only two failover groups. The failover group command creates the specified failover group if it does not exist and enters the failover group configuration mode.

For each failover group, specify whether the failover group has primary or secondary preference using the primary or secondary commands. You can assign the same preference to both failover groups. For traffic sharing configurations, you should assign each failover group a different unit preference.

The exit command restores global configuration mode.

The example assigns failover group 1 as the primary preference and failover group 2 as the secondary preference.

hostname(config)# context Eng

hostname(config-context)# join-failover-group 1

Assigns each user context to a failover group (in context configuration mode).

Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1.

Источник

Читайте также:  Поло седан настройка центрального замка
Adblock
detector