Está en la página 1de 44

MY CISCO book

Failover
Cun sch ny s gii thiu mt trong nhng c im nng cao m c th c h tr trn thit b ASA ca bn : FAILOVER. Failover cung cp c ch d phng gia cc ASA, nu mt ASA b fail, bn c th c mt ASA d phng tr thnh active thay th cho ASA fail kia. 1. Gii thiu v failover, bao gm cc kiu failover, phn cng, phn mm, v license yu cu khi s dng, bt li i vi failover, v nng cp phin bn phn mm. 2. Hai c ch thc thi failover : active/active v active/standby. 3. Interface v cable s dng thc hin failover. 4. Lm th no ASA giao tip vi nhau khi thc hin failover, lm th no chng thm d ra vn v khi no th mt failover c th xy ra. 5. Cu hnh Active/Standby failover. 6. Cu hnh Active/Active failover.

FAILOVER INTRODUCTION
Failover l c im duy nht c quyn ca Cisco trong cc thit b bo mt. Failover cung cp kh nng d phng gia cc thit b bo mt ASA: mt thit b s d phng cho 1 thit b khc. C ch d phng ny cung cp tnh n hi trong h thng mng ca bn. V ph thuc vo cc loi failover bn s dng v lm th no bn thc thi failover, tin trnh failover c th, trong hu ht cc trng hp, n trong sut vi cc ngi dng v cc hosts. Trong phn ny, cc bn s tm hiu c im failover. Ti s tho lun v 2 loi failover l hardware v stateful, yu cu bn phi ci t mt failover, hn ch m bn s gp khi thc thi failover, v lm th no x l nng cp phn mm cho cp thit b ASA trong qu trnh cu hnh failover.

FAILOVER TYPES
C hai loi failover: hardware failover (trong vi trng hp c gi l stateless failover) v stateful failover. Khi failover phin bn u tin c s dng, ch c hardware failover sn c. Bt u t phin bn 6, stateful failover mi c thc thi.
1|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Hardware failover ch cung cp cho d phng v phn cng trong thut ng khc, ngi ta gi n l physical-failover ca mt thit b. Cu hnh gia hai thit b ASA c ng b, nhng khng c g khc na. Vy nn, v d, nu mt kt ni gia thit b c x l bi mt ASA v n b failed, thit b ASA khc c th chim quyn chuyn tip giao thng ca thit b fail. Nhng t khi kt ni gc khng ti to li vi thit b th hai, kt ni s fail: iu ng ngha vi vic, tt c cc kt ni cn hot ng s mt v phi thc hin kt ni li qua thit b th hai. i vi hardware failover, mt failover link s c yu cu gia 2 thit b ASA, vn ny c tho lun trong phn Failover Cabling . Stateful failover cung cp c phn cng v d phng trng thi. Bn cnh cu hnh cc thit b bo mt ASA ng b, cc thng tin khc cng c ng b theo. Vic ng b ny bao gm thng tin v cc bng routing, xlate, ngy gi hin ti, bng a ch MAC layer 2(nu thit b ASA trong trng thi transparent), SIP, kt ni VPN. Khi thc thi stateful failover, bn s cn hai links gia cc ASA, mt link failover v mt link stateful.

FAILOVER REQUIREMENTS
thc thi failover, bn phi c chnh xc cc thit b ASA v license thch hp, v tng ng phn cng vi phn mm. Supported Models Khng phi tt c cc thit b bo mt u h tr failover. Tt c cc ASA u h tr failover, tuy nhin, ASA 5505 khng h tr active/active failover. Trn PIXs, ch c 515s v cc phin bn cao hn mi h tr failover. Cc Firewall Services Module (FWSM) cng h tr failover. Hardware, Software, and Configuration Requirements i vi phn cng gia hai thit b, ch duy kch thc b nh flash l c th khng ging nhau, cn li tt c cc thit b khc phi ging nhau. V d, bn c th s dng hai ASA 5510 nhng khng th l ASA 5510 v ASA 5520. Bn c th s dng hai ASA 5540, nhng khng th mt thit b c module IPS v mt thit b khng c. C bn l, loi tr flash, cn li tt c cc thit b phn cng khc phi ging nhau gia 2 thit b c cu hnh Failover: ging models, ging interfaces, ging s lng RAM, modules
2|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Nu bn c cc PIX ang chy version 6 v sm hn, hai PIX c ci t failover phi chy cng version OS v version Pix Device Manager (PDM). V d, nu mt PIX chy version 6.3(4) v cn li chy 6.3(5), failover s khng hot ng chng phi chy ging chnh xc version i vi version 6 hoc sm hn. Bt u t version 7, Cisco c phn d dng hn trong vic yu cu phin bn software, ch yu cu chnh xc version, nhng khng yu cu chnh xc sub-verion. V d, nu mt thit b chy version 7.1(1) v cn li chy 7.1(2), hai thit b s vn hot ng failover bnh thng, nhng nu mt thit b chy 7.0(4) v cn li chy 7.1(2) th failover s khng hot ng. Cc yu cu khc v phn mm cng phi ging nhau, phi c enable trn c hai thit b. Nu mt thit b ch c DES license v thit b khc c DES/3DES/AES license, failover s khng lm vic. Tng t, nu mt thit b c 5-context license v mt thit b khc c 50-context license, failover cng s khng lm vic. Cu hnh trn thit b phi ging nhau, loi tr a ch IP v a ch MAC v vai tr m thit b tham giam gia vo failover. Vai tr primary v secondary, nhng thng s ny s khng thay i khi failover xy ra. Bn s khng phi ng b bng tay file cu hnh gia hai thit b. Bn c th thay i quyn active cho mt thit b, v cu hnh t ng c ti to mt bn sao ti thit b khc. License Requirements Nu bn c mt ASA 5505 hoc 5510, bn cn mt license Security Plus thc thi failover. ASA 5520 v cao hn khng yu cu license c bit. Cc PIX t 515s tr ln c h tr failover s gm c 3 loi licenses : Restricted (R), unrestrict (UR) v failover (FO). Mt PIX c license R s gii hn v RAM v s interfaces m PIX c th s dng, failover. Mt license UR s h tr ti a s lng RAM v cc interface m PIX c th, cho php s dng failover. Tng ng, gi ca cc thit b s khc nhau. Trong khi Cisco bn PIX 515E vi license R vi gi 3000$ th cng dng PIX vi license UR s c bn vi gi hn 6000$. T version 6 tr v trc, ch thc thi c mt loi duy nht ca failover l active/standby. Bn s tm hiu phn sau, khi thc thi failover active/standby, active s x l giao
3|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

thng v standby s i cho n khi active unit b fails, sau standy s x l giao thng. thun tin cho khc hng, Cisco to ra loi license th ba, c gi l Failover license (FO). FO license c s dng cho standby unit, mt FO license c tt c cc c im ging nh UR license. Lin quan ti Cisco v license FO, h khng mun khch hng ca mnh mua mt PIX vi mt license FO v chy n nh mt stand-alone hoc chy cp vi mt PIX khc cng c license FO. Cisco mun khch hng ca h mua license thch hp cho nhng g h cn. Bi vy, PIX s khng cng hai license FO lm vic vi failover. Cng vy, nu mt FO license PIX khi ng m khng nhn thy PIX khc c UR license, t nht mi 24h mt ln, PIX s t khi ng. Tuy nhin, nu FO unit khi ng v nhn thy mt PIX khc, v sau primary fails, FO unit s khng thc hin x l khi ng li ngu nhin. iu ny m bo rng khch hng s khng c gng th chy FO license trong cu hnh stand-alone . Failover Restrictions Khi s dng failover, chc chn restrictions c p dng. V d, h thng a ch hin ti khng h tr cho thit b khi tham gia failover : + DHCP Client + PPPoE Client + IPv6 addressing Cc restriction khc l nu bn thc thi active/active failover, thit b yu cu s dng contexts, tt c cc trng hp VPNs khng c h tr. V khi active/standby failover, nu failover pair bao gm ASA 5505 v chng c cu hnh Easy VPN, failover s khng hot ng. Software Upgrades V c bn, bn c th s dng 2 phng thc nng cp phin bn OS v ASDM trn thit b ca bn khi ang s dng failover: lm bng tay t CLI hoc ASDM, s dng Auto Update Server (AUS) l mt thnh phn ca Cisco Security Manager (CSM); CSM l thay th ca Cisco Works i vi thit b bo mt Cisco.
4|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Khi bn c cp ASA trong cu hnh failover v mun nng cp bng tay hoc OS hoc ASDM, bn phi nng cp 2 thnh phn ny ring l. S khng xy ra ng b OS hoc ASDM gia 2 thit b, ch c ng b file cu hnh.Nu bn ng b OS trn c hai thit b, bn s cn khi ng li chng bng tay, cng lc s dng phin bn OS mi. Khng ging vi nng cp bng tay, bn c th nh ngha mt chnh sch nng cp trn AUS server v phi c ASA lm primary trong failover ch ra lin h vi AUS c th t ng nng cp khi c phin bn mi. y c gi l c im t ng cp nht. Nu mt bn cp nht sn c, thit b primary s download v ci t cho bn thn chng cng nh sao chp images cho thit b secondary. Ngay khi image mi c sao chp ti thit b secondary, secondary s t ng khi ng li, sau khi secondary khi ng li, thit b primary cng s khi ng li.

FAILOVER IMPLEMENTATIONS
Trong phn cui cng, chng ta s tho lun v active/standby v active/active failover. C hai s thc thi m Cisco h tr cho failover. Qua version 6 ca OS, ch c active/standby c h tr, vi active/active th c h tr t version 7. Phn ny s tho lun v hai loi failover v lm th no nh a ch IP, MAC ca thit b c thc thi trong c hai loi . Active/Standby Failover Thc thi active/standby failover c hai thit b: primary v secondary. Bi mc nh th primary s c vai tr lm active v secondary ng vai tr l standby. Ch c thit b ng vai tr l active s x l giao thng gia cc interfaces. Ngoi tr mt vi thng s, tt c cu hnh thay i thc thi trn active s c ng b sang thit b standby. Thit b l standby s nh l mt hot standby hoc backup cho thit b active. N khng chuyn giao thng qua cc interfaces. Chc nng chnh ca n l kim sot hot ng ca thit b active v t a n ln vai tr active nu thit b active khng cn hot ng. Addressing and Failover Mi thit b (hoc context) tham gia vo failover cn c a ch duy nht IP v MAC cho mi subnet m n kt ni n. Nu failover xy ra, thit b hin ti
5|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

lm standby s c thng chc ln vai tr active v thay i IP, MAC ca n ging vi thit b primary. Thit b active mi sau gi cc frames ra ngoi mi interface update bng a ch MAC kt ni trc tip. Ch rng thit b ASA failed s khng tr thnh mt thit b standby tr khi vn l nguyn nhn ca failover c gii quyt. Sau khi vn c tho g, thit b trc c vai tr lm active s hot ng failover tr li vi vai tr standby v nhn li a ch IP, MAC nh thit b standby bnh thng. Trong active/standby failover, khng c qu trnh chim quyn, tuy nhin, trong active/active failover, l mt s la chn.

6|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Active/Active Failover Trong khi thc thi Active/Active failover, c hai thit b ASA trong failover pair u x l giao thng. hon thnh iu ny, hai context cn c to ra, CTX1 s thc thi vai tr active v chuyn tip giao thng cho LAN bn tri v lm standby cho LAN bn phi v ngc li i vi CTX2. Sau , cc tuyn ng tnh trn cc routers kt ni trc tip c s dng load-balance giao thng gia hai context, nu chng c chy trong ch routed. Nu cc contexts ang chy trong ch transparent, cc routers kt ni trc tip c th s dng cc giao thc ng hc v hai ng c cost bng nhau qua cc contexts ti cc routers trn cc side khc.
7|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

FAILOVER CABLING
Hai loi kt ni c th s dng cho failover : + Failover cable hoc link + Stateful cable hoc link Failover Link Failover link c s dng ti to bn sao lnh cu hnh v chia s thng tin v trng thi failover gia cc failover pair. Lin kt ny phi ch ra kt ni gia hai thit b, ni m khng c giao thng ngi dng tn ti. C hai loi lin kt failover links: + Serial + LAN-based failover (LBF) Serial Cable Phng thc Serial cable ca kt ni ti thit b ch c h tr trn PIX. Serial cable l c quyn ca Cisco RS-232 cable, 115Kbps vi cc u ni DB-15. PIX 515s v cao hn s c cc interface serial c ci t. Mt u ca cable c nh du l primary, u ny s c kt ni n thit b primary, u cn li c nh du l secondary v c ni n thit b secondary. Nu
8|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

bn mua PIXs trong hp failover, ni m c mt UR v FO license, UR-licensed cn c kt ni ti primary cui ca cable, v FO-licensed c kt ni ti secondary. Chiu di ti a ca cable l 2-3 mt, nn c im bt li chnh ca vic s dng cable ny l 2 thit b phi c ni gn nhau (v mt vt l). LAN-based Failover Cable LBF c gii thiu trong phin bn 6.2. LBF s dng mt Ethernet interfaces trn thit b giao tip vi nhau trong failover. Cisco s dng mt giao thc IP c quyn giao tip, ni m c hai thit b s cn a ch IP trn cc interface LBF giao tip vi nhau. Interface ny phi ch ra failover n khng th s dng cho chc nng truyn d liu; tuy nhin, bn c th d dng ci t mt kt ni trunk trn mt interface, ni m mt VLAN s ch ra failover v VLAN khc dnh cho giao tip d liu. Bn cht ca vic Cisco thit k LBF cho cc cng ty, doanh nghip l khng mun cc thit b nht nh phi gn nhau v mt vt l. V d, nu bn c mt mng campus v mt ta nh c thit b firewall b mt in, failover serial s khng phi l s la chn tt cho bn. Tuy nhin, nu bn c mt thit b khc trong mt ta nh khc, khi mt ta nh mt in, bn s vn c mt thit b trong ta nh th hai x l giao thng. V nu bn s dng cable quang kt ni gia hai ta nh (vic ny s yu cu mt thit b chuyn i copper-to-fiber cho cc interfaces RJ-45), hai thit b c th t cch nhau vi kilomet. a ra li ch, nhng LBF cng c 2 gii hn: u tin, khng ging serial cable, LBF khng th trc tip d ra mt thit b cn li mt ngun n phi s dng keepalives gii quyt vn ny. Bi vy, failover s mt mt khong thi gian thc hin. Th hai, chc chn li s khng th c d ra nu cable s dng ni hai thit b l cable cho. V d, khi bn ang s dng cable cho kt ni gia hai thit b vi nhau, nu mt interface b li trn failover link, hai thit b s khng th xc nh c interface no trong s hai interface l nguyn nhn ca vn . Thc t, version 6, bn khng th s dng cable cho. Cisco khuyn co rng bn kt ni ti t thit b ny ti thit b khc qua failover th nn s dng mt switch thng gia, hoc s dng mt hub.
9|Page Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Stateful Link Nu stateful failover c bt, c s dng sinh ra mt bn sao thng tin gia hai thit b. State link phi l mt Ethernet interface; trn PIX, bn khng th s dng serial interface cho loi ny. V lng thng tin ln cn c sao lu sang thit b khc, Cisco khuyn co bn rng bn khng s dng mt interface d liu cho mc ch stateful link. S dng interface dnh ring hoc nu bn s dng LBF, c c hai LBF v stateful chy trn cng mt interface. PIX Cabling By gi bn cn hiu c hai loi lin kt failover v state. Chng ta s bt u vi PIX trc, theo hnh bn di, c kh nhiu s la chn. B qua mt lin kt stateful s ch c d phng hardware c cung cp. Hai PIXs phi ni gn nhau, trong trng hp ny ta s dng serail cable cho failover link. i vi thit b m xa nhau hn 3 meters, v bn cng cn s dng stateful failover, khuyn co bn s dng c hai failover v stateful links trn cng mt interface. ASA Cabling Bi v ASA khng c interface serial, ch c cc kt ni Ethernet c s dng, ngha l bn phi s dng LBF, bn s c t la chn hn so vi PIX. Cng ging nh PIXs, nu bn cng mun thc thi failover stateful, bn nn s dng cng interface Ethernet cho c hai loi failover v stateful.

10 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

FAILOVER OPERATION
Failover Communications

11 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Nh tho lun t trc, failover link trn PIX c s dng l serial v trn ASA l Ethernet vi LBF. Failover link c s dng giao tip thng tin gia cc cp thit b failover. + Trng thi ca thit b : Active hoc Standby + Nu thit b l PIXs, trng thi ngun ca chng. + Failover hello messages + Trng thi lin kt network ca cc interfaces trn thit b. + Trao i a ch MAC c s dng trn cc interfaces ca thit b. + Cu hnh thit b Active ng b vi thit b Standby. Khi thc thi stateful failover, cc thng tin c vn chuyn cho qua stateful link t active ti standby s bao gm : Xlate table, conn table, VPN sessions(ch i vi Active/Standby), MAC address table(trong transparent mode), thng tin tn hiu SIP v thi gian hin ti. Nh bn nhn thy, khng phi tt c cc thng tin trng thi c sao chp qua state link. N s loi tr uauth table c s dng bi CTP, HTTP sessions, local routing table, ARP, DHCP addresses, SSM card Failover Triggers Nhiu th c th c trigger failover trn thit b : mt ngun, mt hay nhiu interface fail, module fail, phn mm gp vn vi b nh, vi trng hp khc c gii quyt vi cu lnh failover active trn thit b standby.

12 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Failover Link Monitoring Hai loi c bn ca interface c gim st bi cp failover : failover link v data interfaces. Failover hello messages c sinh ra trn failover link c mi 15 giy bi mc nh. Nu khng nhn c gi hello t thit b bn kia, mt ARP c sinh ra trn tt c cc interface. Nu khng c gi tr li no c nhn v t thit b i din tt c cc interfaces, failover s xy ra, chuyn standby ln lm active.
13 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Nu khng c tr li t ARP c nhn thy trn failover link, nhng vn thy trn cc interface khc (sateful link hoc data interfaces), failover s khng xy ra. Trong trng hp ny, failover link c nh du l b fail. Interface Monitoring Interface monitoring c s dng gim st trng thi ca tt c cc lin kt d liu hoc lin kt stateful trn thit b. C ti a 250 interfaces c gim st trn mi thit b. Nu hello message t thit b i din khng c nhn thy trn interface gim st trong khong thi gian hold-down, thit b s chy interface test trn cc interface kh nghi xc nh xem nu c th vn g ang tn ti. Mc ch ca interface test l xc nh trn thit b no, interface no ang c li. Trc mi qu trnh test bt u, cc gi tin c nhn s c thng k v xa sch trn interface. Trong mi ln test, mi thit b kim tra xem nu cc frames, packets c nhn, interface c xem nh l ang hot ng. Nu khng c giao thng c nhn thy trong ln test , thit b s x l n ln test tip theo. Bn kiu test interface m thit b c th chy : + Link up/down test : interface s tt i v bt li, kim tra phn cng interface hot ng bnh thng. + Network activity test : thit b tm kim cc frames ng, i vo cc interface c mi 5 giy. + ARP test : thit b sinh ra cc truy vn ARP i vi hai u vo nhiu nht trong bng ARP, ni m thit b ang tm kim tt c cc frame ng(khng ch l ARP reply) i vo interface c mi 5 giy. + Broadcast ping test : thit b sinh ra mt gi ping broadcast, sau s ch cc frame ng, i vo interface c mi 5 giy. Switch Connections Bnh thng cc thit b c kt ni n switches i vi cc kt ni Layer 2. Da trn thc t l thit b sinh ra cc gi tin failover trn tt c cc interface active bi mc nh, iu quan trng l khng c vn g i vi tin trnh ny,
14 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

nguyn nhn failover khch quan, hoc trong trng hp xu nht, tm thi khng c thit b no trong trng thi active. iu quan trng l khi bn kt ni n switch th hai interfaces kt ni n phi trong cng VLAN. Cn ch n STP, trnh trng hp interface kt ni n thit b bo mt b nm trong trng thi non-forwarding, blocking. i vi Cisco Catalyst switch, bn nn bt ch Portfast, iu ny s lm cho cc ports c trong trng thi forwarding mi khi STP xy ra. Nu bn khng nh iu ny, switch s khng s dng rapid STP(RSTP), v vi STP thng thng, cc ports s mt 30 n 45 giy s l nguyn nhn xy ra failover.

ACTIVE/STANDBY CONFIGURATION
Phn cui cng i vi nghin cu Failover, chng ta s tho lun lm th no cu hnh failover trn cc thit b. Active/Standby: PIXs and the Serial Cable Step1: Trong bc u tin, chc chn rng thit b th hai khng c kt ni vo mng. Nu thit b th hai c cu hnh t trc , hy xa n: Secondary# write erase
15 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Sau tt thit b th hai. Step2: Sau khi thit b th hai tt, bn cm cable vo c hai thit b, chc chn rng bn cm mt u serial vo primary v u serial cn li vo secondary. Cng nh vy, bn kt ni data interface ti h thng mng ca bn v stateful link nu bn bt ch stateful failover. Step3: Sau khi bn kt ni hai thit b vo mng, bn bt u cu hnh thit b th nht, ng vai tr l primary. u tin, bn s cu hnh a ch IP trn cc data interface. Vic cu hnh ny c khc cu hnh c bn mt cht, v bn s phi cu hnh mt cp a ch IP. Vi failover, thit b s c hai a ch IP: mt a ch s c s dng bi thit b active, a ch th hai dnh cho thit b standby. Di y l lnh cu hnh a ch IP trn cc data interface: Primary(config)# interface phy_if_name Primary(config-if)# ip address active_IP_addr net_mask standby standby_IP_addr Step4: Sau khi cu hnh a ch IP trn cc data interfaces, bn phi bt failover trn thit b vi cu lnh sau: Primary(config)# failover Cu lnh ny cho php failover trn thit b v t khi thit b secondary tt, bn m bo rng thit b ny ng vai tr active. Step5: Sau khi bt failover trn thit b primary, kim tra tin trnh failover vi cu lnh show failover. y l v d kim tra failover trn thit b primary trong khi thit b secondary vn ang tt. Primary# show failover
16 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.2(1), Mate Unknown Last Failover at: 13:21:38 UTC Dec 10 2006 This host: Primary Active Active time: 200 (sec) Interface outside (192.168.1.2): Normal (Waiting) Interface inside (10.0.1.1): Normal (Waiting) Other host: Secondary Not detected Active time: 0 (sec) Interface outside (192.168.1.7): Unknown (Waiting) Interface inside (10.0.1.7): Unknown (Waiting)

Stateful Failover Logical Update Statistics Link : Unconfigured Step6:

17 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

By gi khi thit b primary ang hot ng, bt thit b secondary ln. Nu bn ang console vo thit b primary trong khi thit b secondary ang khi ng, bn s nhn thy : Detected an active mate Beginning configuration replication to mate. End configuration replication to mate. Thng bo trn cho thy thit b primary c cu hnh thnh cng v sao lu cu hnh n thit b secondary. Nu bn ang console vo thit b secondary thay v thit b primary, bn s nhn c thng bo nh trn v thay th from mate bng to mate. Step7: Ngay t khi bn bt thit b secondary ln, cu hnh c sao lu t primary, s dng lnh show failover trn primary kim tra hot ng ca failover. y l mt v d v s dng cu lnh ny trn thit b primary. primary# show failover Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 13:21:38 UTC Dec 10 2006 This host: Primary Active
18 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Active time: 320 (sec) Interface outside (192.168.1.2): Normal Interface inside (10.0.1.1): Normal Other host: Secondary Standby Ready Active time: 0 (sec) Interface outside (192.168.1.7): Normal Interface inside (10.0.1.7): Normal Stateful Failover Logical Update Statistics Link : Unconfigured Step8: Bc cui cng, vi la chn c khuyn cao, l kim tra cu hnh failover. Bn c th tt thit b primary, hoc nu bn ang console vo secondary, thc hin lnh failover active : Secondary(config)# failover active Active/Standby: LBF Step1: Trong bc u tin, chc chn rng thit b th hai khng c kt ni n h thng mng. Nu thit b th hai ang c cu hnh hin ti, xa n: Secondary# write erase Sau tt thit b. Step2: Sau khi bn tt thit b th hai, cm cable Ethernet vo cc interface ca hai thit b. Data interface, LBF interface, v stateful interface. Step3:
19 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Sau khi bn kt ni trc tip hai thit b vo mng, bn s bt u cu hnh thit b primary. u tin l cu hnh a ch IP trn cc data interface. primary(config)# interface phy_if_name primary(config-if)# ip address active_IP_addr net_mask standby standby_IP_addr Step4: Cu hnh ca LBF bc ny khc vi vic s dng PIX v serial failover cable. u tin bn cn xc nh xem interface no s c bn s dng trn thit b cho mc ch failover, iu ny phi chnh xc ging nhau trn c hai thit b. Sau bn cn bt interface chy LBF: vic ny c th s dng interface vt l hoc mt interface logic(sub-interface) v lin kt vi mt LAN c th. primary(config)# interface physical_LBF_if_name primary(config-if)# no shutdown Trong trng hp khc, failover link khng th l mt data interface vi mt h s bo mt, tn logic, hoc a ch IP. Sau khi bn bt LBF interface trn thit b primary, bn bt u cu hnh failover:

primary(config)# failover lan enable primary(config)# failover lan unit primary primary(config)# failover lan interface logical_LBF_if_name physical_LBF_if_name primary(config)# failover interface ip logical_LBF_if_name primary_IP_addr subnet_mask standby secondary_IP_addr
20 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary(config)# failover key encryption_key primary(config)# failover primary# show failover Cu lnh Failover lan enable ch p dng i vi PIX: n tt s dng serial cable interface(cu lnh ny khng tn ti trn ASA). Lnh failover lan unit primary c th vai tr ca thit b m bn cu hnh s tham gia vo qu trnh failover; trong trng hp ny thit b s ng vai tr l primary. Lnh failover lan interface ng k tn logic cho interface LBF. Lnh failover interface ip ng k a ch IP cho thit b primary v secondary i vi kt ni LBF. Khi c failover xy ra, nhng a ch ny khng thay i trn c hai failovers. Mt la chn cho bn c th m ha cc LBF messages bng cch s dng lnh failover key. Nu bn mun m ha thng tin, thit b primary v secondary phi s dng key ging nhau. Cui cng, lnh failover dng bt failover trn thit b primary; i vi im ny, bn nn kim tra trng thi ca thit b primary bng cch s dng lnh show failover. Step5: Sau khi thit b primary c cu hnh, bn s bt u cu hnh thit b secondary. Khng ging vi serial failover, ni bn phi phi cm cable ti thit b secondary v bt n ln ng b, LBF giao tip bng IP, nn bn s cn cu hnh mt cht cho thit b secondary. Thc t cu hnh bc 4 cho primary cng ging nh vic bn phi cu hnh vi secondary, loi tr vic: thit b secondary phi c vai tr l secondary nn bn phi s dng cu lnh sau: Secondary(config)# failover lan unit secondary Step6: By gi bn cn kim tra hot ng failover trn thit b ca bn bng cch s dng cu lnh show failover trn c hai thit b. Di y l v d cho vic bn s dng cu lnh trn i vi thit b l secondary. Secondary(config)# show failover Failover On
21 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Failover unit Secondary Failover LAN Interface: LANFAIL GigabitEthernet0/2 (up) Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 18:03:38 UTC Dec 12 2006 This host: Secondary Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside (192.168.1.7): Normal (Waiting) Interface inside (10.0.1.7): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)IPS, 5.0(2)S152.0 Up Other host: Primary Active Active time: 3795 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside (192.168.1.2): Normal (Waiting) Active/Standby: Option Commands Cc la chn cu hnh khc m bn c th cu hnh thit b active/standby failover. ciscoasa(config)# failover link logical_if_name
22 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

ciscoasa(config)# failover replication http ciscoasa(config)# [no] monitor-interface logical_if_name ciscoasa(config)# failover polltime [unit | interface] [msec] time [holdtime time] ciscoasa(config)# failover interface-policy number[%] ciscoasa(config)# failover mac address phy_if active_MAC_addr standby_MAC_addr bt stateful failover, s dng cu lnh failover link. Nu bn ang s dng LBF, tn logic cho stateful failover c th l tn logic ca LBF. Mc nh kt ni HTTP khng c sao chp khi bn s dng stateful failover. Nu bn mun sao chp kt ni HTTP, s dng cu lnh failover replication http. Vic gim st interface vt l c bt bi mc nh: thit b s sinh ra cc failover keepalives trn tt c cc interfaces vt l; gim st cc logical interfaces(sub-interfaces) b tt bi mc nh. Vi kt ni trunk, gi keepalives c gi qua native VLAN (untagged). Bn c th thay i trng thi vi cu lnh monitor-interface v c th tn logic ca cc sub-interface. Lnh failover polltime c dng xc nh thng xuyn m gi hello failover c sinh ra trn cc interfaces LBF,stateful, v data interfaces. Bi mc nh gi ny c gi c mi 15 giy. Gi tr t cho lnh failover polltime l t 1 n 15 giy, nu l mili giy(msec), gi tr s t 500 n 999. Thi gian hold time xc nh bao lu t khi gi tin hello khng c nhn th s a interface vo trng thi failed, gi tr t 2 n 75 giy. Bn khng th in gi tr hold-time ln hn qu 5 ln gi tr poll-time. Mc nh th mt interface li s l nguyn nhn ca failover. Bn c th tng gi tr ny s lng interface li, l nguyn nhn m failover xy ra. iu ny c cu hnh vi cu lnh failover interface-policy. i vi active/standby, a ch MAC cho primary lun lun c lin kt vi a ch active IP. Tuy nhin, nu secondary khi ng trc v c xem vai tr l
23 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

active, n s s dng a ch MAC ca chnh n. Vy nn khi thit b primary hot ng v c c vai tr active, thit b secondary s t ng thu nhn a ch MAC t primary v thay i a ch MAC ca chnh n. Bn c th cu hnh a ch MAC o cho mi interface loi tr LBF v stateful links. cu hnh a ch MAC o, s dng lnh failover mac address. Active/Standby: Example Configuration gip bn hiu r hn cch cu hnh Active/Standby trn cc thit b, chng ta s xem mt v d c th. S dng kin trc mng nh hnh bn di. y, mnh s s dng ASA 5510s vi yu cu LBF failover LAN link. Trong v d ny, mnh s tp trung chnh vo mng failover, cc cu hnh khc, mi ngi c th nghin cu sau.

Primary Data Interfaces u tin s l cu hnh cc data interfaces trn thit b primary, vi e0/0 v e0/1: primary(config)# interface e0/0 primary(config-if)# no shutdown primary(config-if)# ip address 192.168.11.1 255.255.255.0
24 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

standby 192.168.11.2 primary(config-if)# nameif outside primary(config-if)# security-level 0 primary(config-subif)# exit primary(config)# interface e0/1 primary(config-if)# no shutdown primary(config-if)# ip address 10.0.1.111 255.255.255.0 standby 10.0.1.112 primary(config-if)# nameif inside primary(config-if)# security-level 100 primary(config-if)# exit Primary Failover Configuration Tip theo mnh s cu hnh interface LBF(e0/2) trn thit b primary v bt failover ln: primary(config)# interface e0/2 primary(config-if)# no shutdown primary(config-if)# exit primary(config)# failover lan unit primary primary(config)# failover lan interface lanfail e0/2 INFO: Non-failover interface config is cleared on Ethernet0/2 and its sub-interfaces primary(config)# failover interface ip lanfail 172.16.100.1 255.255.255.0 standby 172.16.100.2
25 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary(config)# failover Now Ill verify the failover operation and configuration on the primary: primary(config)# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: lanfail Ethernet0/2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum Version: Ours 8.0(3), Mate Unknown Last Failover at: 00:25:08 UTC Jan 1 1993 This host: Primary Active Active time: 465 (sec) Interface outside (192.168.11.1): Normal Interface inside (10.0.1.111): Normal Other host: Secondary - Not Detected Active time: 0 (sec) Interface outside (192.168.11.2): Unknown Interface inside (10.0.1.112): Unknown

26 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Stateful Failover Logical Update Statistics Link : Unconfigured.

Secondary Failover Configuration By gi, sau khi thit b primary c cu hnh. Mnh s cu hnh secondary. Trc khi bn bt u, chc chn rng bn xa trng cu hnh trn thit b secondary. y l cu hnh secondary: secondary(config)# interface e0/2 secondary(config-if)# no shutdown secondary(config-if)# exit secondary(config)# failover lan unit secondary secondary(config)# failover lan interface lanfail e0/2 INFO: Non-failover interface config is cleared on Ethernet0/2 and its sub-interfaces secondary(config)# failover interface ip lanfail 172.16.100.1 255.255.255.0 standby 172.16.100.2 secondary(config)# failover Detected an Active mate Beginning configuration replication from mate. End configuration replication from mate. primary(config)# Nh bn thy, ch khc nhau gia primary v secondary cu lnh failover lan unit. Ch rng sau khi t ng sao chp cu hnh gia hai thit b vi nhau, thit b th hai s i tn t secondary thnh primary. iu ny xy ra
27 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

bi v primary s chp ton b cu hnh, bao gm c lnh hostname, sang cho thit b secondary. By gi kim tra hot ng trn secondary: primary(config)# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Secondary Failover LAN Interface: lanfail Ethernet0/2 (up) Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum Version: Ours 8.0(3), Mate 8.0(3) Last Failover at: 20:37:30 UTC Jul 2 2008 This host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (192.168.11.2): Normal Interface inside (10.0.1.112): Normal Other host: Primary Active Active time: 1545 (sec) Interface outside (192.168.11.1): Normal Interface inside (10.0.1.111): Normal Stateful Failover Logical Update Statistics
28 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Link : Unconfigured. Optional Commands: Khi failover hot ng, mnh quyt nh bt stateful bng cch bt stateful failover v thay i hello interval vi lnh sau: primary(config)# failover link lanfail primary(config)# failover polltime msec 500 INFO: Failover unit holdtime is set to 2 seconds Chng ta s kim tra cu hnh failover vi lnh show failover trn thit b primary: primary(config)# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Secondary Failover LAN Interface: lanfail Ethernet0/2 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum Version: Ours 8.0(3), Mate 8.0(3) Last Failover at: 21:42:26 UTC Jul 2 2008 This host: Primary Active Active time: 452 (sec) Interface outside (192.168.11.1): Normal
29 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Interface inside (10.0.1.111): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (192.168.11.2): Normal Interface inside (10.0.1.112): Normal Stateful Failover Logical Update Statistics Link : lanfail Ethernet2 (up) Stateful Obj General sys cmd up time RPC services TCP conn UDP conn <--output omitted--> Bn c th nhn thy rng stateful link l lanfail. By gi bn c mt failover stateful ang hot ng. xmit 17 15 0 0 0 0 xerr 0 0 0 0 0 0 rcv 15 15 0 0 0 0 rerr 0 0 0 0 0 0

ACTIVE/ACTIVE CONFIGURATION
Cu hnh Active/Active failover yu cu bn phi t hai thit b mode multiple contexts. Bn s cn hai contexts. i vi vic chuyn sang s dng multiple mode contexts, cc bn t nghin cu trong cc ti liu khc v ASA/PIX. LBF Configuration Step1:
30 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Ging nh cu hnh vi active/standby failover LBF phn trc. Trong bc u tin, hy chc chn rng thit b secondary khng c kt ni n h thng mng. Nu secondary c cu hnh, hy xa n. Secondary# write erase Sau tt thit b secondary i. Step2: Sau khi thit b secondary c tt i, bn thc hin cm cable i vi Ethernet interfaces: data interfaces, LBF interface v stateful interface. Cn li bn cng lm tng t nh i vi vic cu hnh active/standby.

Step3: Tip theo, chuyn thit b sang mode multiple bng cu lnh mode multiple. Sau bt cc interface thch hp m bn s s dng trn thit b primary. Step4: Sau khi bn cu hnh hai contexts, bn s cn vo ch cu hnh context (s dng lnh changeto context) v cu hnh hai tp a ch (active v standby) cho mi data interface. Cu lnh ny cng ging vi vic bn lm khi cu hnh active/standby, loi tr vic bn phi trong mode context thc hin. ciscoasa(config)# interface phy_if_name ciscoasa/context(config-if)# ip address active_IP_addr net_mask standby standby_IP_addr Step5: Bt failover active/active s dng LBF cho failover link ging nh lm vi active/standby. Failover thc t c cu hnh trn system area, khng phi trn contexts. Trong system area, bn s cn bt LBF interface v cu hnh failover:
31 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary(config)# interface physical_LBF_if_name primary(config-if)# no shutdown primary(config-if)# exit primary(config)# failover lan enable primary(config)# failover lan unit primary primary(config)# failover lan interface logical_LBF_if_name physical_LBF_if_name primary(config)# failover interface ip logical_LBF_if_name primary_IP_addr net_mask standby secondary_IP_addr primary(config)# failover key encryption_key Ch rng, nu bn ang s dng PIX v s s dng LBF, bn cn thc thi lnh failover lan enable. Cng nh vy, bn ko c bt failover thi im ny, bn s cn to failover group trc, vn ny s c ni r phn ti. Step6: Trong bc ny, bn s cn to hai failover groups. Chc nng ca failover group xc nh vai tr l g, primary hay secondary. V d, nu bn c contexts CTX1 v CTX2, bn nn to mt context l thnh vin ca group 1 v mt context khc lm thnh vin ca group 2, ct vai tr primary v secondary gia hai thit b. to ra cc groups failover ca bn, s dng cu hnh sau: primary(config)# failover group 1 primary(config-fover-group)# primary primary(config-fover-group)# exit
32 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary(config)# failover group 2 primary(config-fover-group)# secondary primary(config-fover-group)# exit lin kt mt failover group vi mt context, failover nn bit c vai tr m n thc hin cho mt context, s dng cu lnh sau: primary(config)# context context_name primary(confix-ctx)# join-failover-group {1 | 2} primary(confix-ctx)# exit Sau khi bn lin kt failover group vi context tng ng ca n, bn c th quay v u v bt failover trn thit b primary: Primary(config)# failover Bn c th s dng cu lnh show failover kim tra cu hnh ca bn: Primary(config)# show failover [group group_#]

Step7: Sau khi primary LBF c cu hnh hon thnh, bn cn bt u cu hnh secondary. Bn cng s cn chuyn thit b secondary sang mode multiple contexts. Sau khi chuyn sang multiple mode, t system area, bn c th cu hnh LBF. Cu hnh LBF trn secondary c da trn primary, loi tr cu lnh failover lan unit. secondary(config)# interface physical_LBF_if_name secondary(config-if)# no shutdown secondary(config-if)# exit secondary(config)# failover lan enable
33 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

secondary(config)# failover lan unit secondary secondary(config)# failover lan interface logical_LBF_if_name physical_LBF_if_name secondary(config)# failover interface ip logical_LBF_if_name primary_IP_addr net_mask standby secondary_IP_addr secondary(config)# failover key encryption_key secondary(config)# failover Nhc li, bn phi trong system area khi cu hnh LBF. Cng cn ch thm l bn khng phi cu hnh failover groups hoc cc contexts ch cn bt failover vi lnh failover. T khi bn cu hnh chnh xc mi th, thit b secondary c kt ni vi primary, v hai thit b s ng b, ni m secondary s t ng ly thng tin t primary. Optional Commands C nhiu la chn sn c i vi active/standby cng tn ti trong active/active. im khc nhau chnh l ni m bn thc hin cc cu lnh. Di y l cc lnh la chn cho php bn cu hnh thm i vi active/active failover: standby(config)# [no] failover active group group_# active(config)# failover link logical_LBF_if_name active(config)# failover group {1 | 2} active(config-fover-group)# preempt [seconds] active(config-fover-group)# replicate http active(config-fover-group)# polltime interface [msec] time [holdtime time]
34 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

active(config-fover-group)# interface-policy number[%] Cu lnh failover active group c thc thi trn thit b standby, n s c hiu lc a thit b chuyn ln trng thi active trong cc context m n thuc v, v hin ti thit b active s li b y xung lm standby cho group . Lnh failover link dng bt stateful failover trn thit b. Preemption cho php mt thit b s tr li lm active, chim quyn ca standby c a ln lm active khi n b failed trc . bt preemption, s dng lnh preempt bn c th c th s giy i trc khi preemption xy ra. thay i thi gian hello interval, s dng lnh polltime. thay i s interface failed nh hng n vic xy ra failover, s dng lnh interfacepolicy. Example Configuration gip bn hiu r hn v cu hnh active/active failover trn cc thit b, hy cng xem v d bn di. Ch rng, v d ny vn ch tp trung vo vic cu hnh failover, cc vn khc, cc bn tham kho trong cc cun sch chi tit v ASA/PIX. Active/Active Example: Primary Initial Configuration u tin, bn s cn chuyn thit b sang multiple mode, v sau bt cc interfaces ln: primary(config)# mode multiple <--output omitted--> primary(config)# interface e0/0 primary(config-if)# no shutdown primary(config-if)# exit primary(config)# interface e0/1 primary(config-if)# no shutdown primary(config-if)# exit
35 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary(config)# interface e0/2 primary(config-if)# no shutdown primary(config-if)# exit

primary(config)# interface e0/0.1 primary(config-subif)# vlan 311 primary(config-subif)# exit primary(config)# interface e0/0.2 primary(config-subif)# vlan 312 primary(config-subif)# exit primary(config)# interface e0/1.1 primary(config-subif)# vlan 101 primary(config-subif)# exit primary(config)# interface e0/1.2
36 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary(config-subif)# vlan 102 primary(config-subif)# exit e0/0.1 v e0/1.1 s trong ct1 context, e0/0.2 v e0/1.2 s trong ct2 context. Active/active Example: Primary Failover Configuration Tip theo, mnh s cu hnh failover cho primary, s dng e0/2 nh mt LBF interface: primary(config)# failover lan interface lanfail e0/2 primary(config)# failover interface ip lanfail 172.16.100.1 255.255.255.0 standby 172.16.100.2 primary(config)# failover link lanfail primary(config)# failover lan unit primary primary(config)# failover polltime msec 500 primary(config)# failover group 1 primary(config-fover-group)# exit primary(config)# failover group 2 primary(config-fover-group)# exit primary(config)# failover Group 1 No Response from Mate, Switch to Active Group 2 No Response from Mate, Switch to Active

Active/Active Example: Primary Context Configuration Sau khi hon thnh failover trn thit b primary, mnh s cn ci t contexts. V d di y s to ct1 v ct2.
37 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary(config)# admin-context ct1 primary(config)# context ct1 primary(config-ctx)# allocate-interface e0/0.1 primary(config-ctx)# allocate-interface e0/1.2 primary(config-ctx)# config-url flash:/ct1.cfg primary(config-ctx)# join-failover-group 1 primary(config-ctx)# exit primary(config)# context ct2 primary(config-ctx)# allocate-interface e0/0.2 primary(config-ctx)# allocate-interface e0/1.2 primary(config-ctx)# config-url flash:/ct2.cfg primary(config-ctx)# join-failover-group 2 primary(config-ctx)# exit Sau khi to ra cc contexts, mnh s chuyn sang chng v ci t a ch IP ln cc data interface. primary(config)# changeto context ct1 primary/ct1(config)# interface e0/0.1 primary/ct1(config-if)# nameif outside primary/ct1(config-if)# security-level 0 primary/ct1(config-if)# ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2 primary/ct1(config-if)# no shutdown primary/ct1(config-if)# exit
38 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

primary/ct1(config)# interface e0/1.1 primary/ct1(config-if)# nameif inside primary/ct1(config-if)# security-level 100 primary/ct1(config-if)# ip address 10.0.1.111 255.255.255.0 standby 10.0.1.112 primary/ct1(config-if)# no shutdown primary/ct1(config-if)# exit primary/ct1(config)# changeto context ct2 primary/ct2(config)# interface e0/0.2 primary/ct2(config-if)# nameif outside primary/ct2(config-if)# security-level 0 primary/ct2(config-if)# ip address 192.168.12.2 255.255.255.0 standby 192.168.12.1 primary/ct2(config-if)# no shutdown primary/ct2(config-if)# exit primary/ct2(config)# interface e0/1.2 primary/ct2(config-if)# nameif inside primary/ct2(config-if)# security-level 100 primary/ct2(config-if)# ip address 10.0.2.112 255.255.255.0 standby 10.0.2.111 primary/ct2(config-if)# no shutdown primary/ct2(config-if)# exit
39 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Active/Active Example: Secondary Configuration Sau khi primary c hon thnh, mnh s kt ni n cng console ca thit b secondary v cu hnh n: secondary(config)# mode multiple <--output omitted--> secondary(config)# interface e0/2 secondary(config-if)# no shutdown secondary(config-if)# exit secondary(config)# failover lan interface lanfail e0/2 secondary(config)# failover interface ip lanfail 172.16.100.1 255.255.255.0 standby 172.16.100.2 secondary(config)# failover lan unit secondary secondary(config)# failover Detected an Active mate Beginning configuration replication from mate. WARNING: Unable to delete ct1 context, because it doesn't exist. INFO: Admin context is required to get the interfaces Creating context 'ct1'... Done. (1) WARNING: Skip fetching the URL flash:/ct1.cfg INFO: Creating context with default config INFO: ct1 context will take some time to come up .... please wait. Creating context 'ct2'... Done. (2) WARNING: Skip fetching the URL flash:/ct2.cfg
40 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

INFO: Creating context with default config Group 1 Detected Active mate Group 2 Detected Active mate Ch rng khi failover c bt, thit b secondary s t ng y hai contexts vo n (bao gm c cu hnh). Di y l trng thi ca thit b secondary sau khi cu hnh: secondary(config)# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Secondary Failover LAN Interface: lanfail Ethernet0/2 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum Version: Ours 8.0(3), Mate 8.0(3) Group 1 last failover at: 00:52:14 UTC Jan 1 1993 Group 2 last failover at: 00:52:14 UTC Jan 1 1993

This host: Group 1

Secondary State: Standby Ready 0 (sec) Standby Ready

Active time: Group 2


41 | P a g e

State:

Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Active time: <--output omitted-->

0 (sec)

Trong trng hp ny, thit b secondary trong trng thi standby c hai contexts. Active/Active Example: Primary Preemption Configuration Mc ch ca vic s dng active/active failover l c c hai thit b cng x l giao thng, bn s cn cu hnh preemption thit b c th ly li quyn active sau khi tr li t trng thi failed. Di y l cu hnh trn primary: primary(config)# failover group 1 primary(config-fover-group)# primary primary(config-fover-group)# preempt primary(config-fover-group)# exit primary(config)# failover group 2 primary(config-fover-group)# secondary primary(config-fover-group)# preempt primary(config-fover-group)# exit By gi, khi mnh kho st trng thi ca failover trn cc thit b, mi thit b s l active cho mt context v l standby cho mt context khc. primary(config)# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: lanfail Ethernet0/2 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds
42 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

MY CISCO book

Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 0 of 250 maximum Version: Ours 8.0(3), Mate 8.0(3) Group 1 last failover at: 01:15:13 UTC Jan 1 1993 Group 2 last failover at: 01:11:19 UTC Jan 1 1993

This host: Group 1

Primary State: Active 329 (sec) Standby Ready 0 (sec)

Active time: Group 2 State: Active time:

ct1 Interface outside (192.168.11.1): Normal (Not-Monitored) ct1 Interface inside (10.0.1.111): Normal (Not-Monitored) ct2 Interface outside (192.168.12.1): Normal (Not-Monitored) ct2 Interface inside (10.0.2.111): Normal (Not-Monitored)

Other host: Secondary Group 1 State: Active time: Group 2


43 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn

Standby Ready 367 (sec) Active

State:

MY CISCO book

Active time:

696 (sec)

ct1 Interface outside (192.168.11.2): Normal (Not-Monitored) ct1 Interface inside (10.0.1.112): Normal (Not-Monitored) ct2 Interface outside (192.168.12.2): Normal (Not-Monitored) ct2 Interface inside (10.0.2.112): Normal (Not-Monitored)

Stateful Failover Logical Update Statistics Link : lanfail Ethernet0/2 (up) <--output omitted--> Trong v d trn, thit b primary l active cho failover group 1 (ct1 context), v thit b secondary l active cho failover group 2 (ct2 context). Cng cn ch rng trng thi ca cc data interfaces : Not-Monitored. Khuyn co rng cc sub-interfaces mc nh khng bao gm cc gi hello failover ch tr native VLAN trn cc trunk interface. Bn c th la chn bt c im ny ca thit b tuy nhin l nu cn thit.

Wish you success in the Cisco Way

44 | P a g e Author : Doan Quang Hoa hoadq CCNP, CCSP Email : hoadqtk4@gmail.com & hoadq@hpt.vn