ASA Day 9 Firewall Failover

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
right today's topic is firewall failover firewalls failover what is that you can have more than one firewall so that if one fails there will be another one taking the place and providing security in protecting our network is very important at any cost we need our data we need our letter to be protected so just only one firewall is not always in F now various reasons why fire was may go down power cut maybe even issue some loose cabling some software corruption you know or some failure on the hardware so for any reason any of this reason a firewall can go down if it goes down then no security and to make sure I have my firewall or race so further what we do is we didn't we we keep written and firewalls even one goes down we have either one to take it over we call it a failure feel over it by more than one AC and we make one as an active they I want understand by we call this as failover final field so you always have security you always have the security service the availability of firewall service is always there when we have raided firewall you know a network topology so ASI supports both active active as well as a key standby failover at least and by fail OAS active active failover AAA so does active sanba is very commonly seen popular at you active for this we need to enable an additional feature called multi context if we have multi context then we can have active active failover between two firewalls but when we have active active feel over we cannot have VPN because VPN traffic's hatched and sent so that is one limitation of V going for activity so what is more popular and commonly seen is active standby to standby so what are the series of phase a supports us are ya Christian like what's a different like active active a Christian with both are same right good question I thought I'll give a detailed explanation in coming slides but I appreciate that you are already asked the question so happy standby is like you know you got to then you're going for exam you are to Penn but you cannot write with Drupal Satya stand by what is that team you're writing the other one is inside the box are on the table which you are not using it it will be used only when a pen that you're writing goes bad at T stand by when exactly the other one is stand by what is the active active you are super talented you want to write two questions same at a time you are to go since you are writing two questions parallely one with the right hand another that I left here two different questions two different questions at the same time if you are ready to write the New York using both the pens one pin on the left another pen on the right one paper on the left four people on the right not the same question you are writing on both papers two different caustic likewise some of the network traffic you send it via a a say one other traffic you send it via a si - so both the firewalls are actively working but they are working for two different traffic's coming from your of your on your network active active both the firewalls are up in running both the firewalls are working for two different traffic coming from network in case if one of the final goes down all the traffic will pass through that only say which is currently working again when the second a si comes back the load is again getting shed one traffic goes where a si one the other traffic goes back to AC 2 because it has come back because the SS come back that's not the case with active standby one will be always busy taking all the traffic and the other will be sleeping waiting for the active to go down only when the active goes down samba takes the active role so the device is the series of various a that supports failover is 5510 security plus license is needed same 5510 if you have a base license they don't support you need to buy the key some digital value they will send it through email if you purchase security plus license you just copy that activation key you paste it on the CLI and then reboot the device you've got the feature enabled so the basic license they don't come with this failover feature security plus license in 5510 supports this act is active and active standby failover now what is this how it works what important it is see active standby if this is that to you and this one is standby right so hey that TB is ten by means all the traffic's are going through is a one but as well as to say say one goes down this will pick up all the traffic that was going through a a one will start going where a Casey two for that these two need to be in sync only then a say two will know from where to continue we call this as stateful failover stateful in over if there is no concept of synchronization now this has to learn from the beginning when it becomes active from standby which will be you know giving some down time in the network so a say suppose both is active standby failover with fateful failover without stateful or stateful and stateless both are supported stateful failover stateless failover stateful means any changes that happening in this reflects here any changes that have happens on the active device means when a new route is learned in the routing table the route gets updated parallely on a SE be when a MAC addresses learned in an ARP table is updated Peverley be also gives the same update so that in a say one goes down the back up the standby can take the role of a say one and work exactly same as a si one under person date because this active standby yes like what's the latest firewall that industry working now what they're using [Music] so 5510 supports both but you need a license whereas all other models supports both at you stand by an activity even a SAS go to next-generation a is a series that is 55 here also 55 but this is 55 X of e 515 50 by 24 X they all support okay 50 by 2 all don't support if it's as basic license 5512 its security plus license 55 15 and above they support by default so as you send by a tier 2 failover it's supported in all the series as we already discussed you know active standby means what one of the firewall unit will be active the other one in the pair will be sent by but sanwei will be kept synced with the active device standby we'll be getting synchronized with the active device every time whenever a change happens in active device standby is getting updated when the stateful failover feature is enabled so we will be configure failover on active device and standby device we also need to do an additional configuration she'd fulfill over when that fateful failover is enabled along with the failover only then the sync between the active and standby will be happening otherwise just a failover if you don't have the stateful failure where means when it is stateless the problem is when the active device goes down the standby device have to do everything from scratch nothing allowed slurring MAC address learning ARP telnet session whatever the session that was going before in the RT device will get disconnected now you need to reconnect it through the standby device whereas in the stateful failover when the activity when that you device goes down even your telnet session will not break as the standby is going to take grow take take the position of their key device after failover occurs the same connection information is available on the standby unit which is automatically because active without any user traffic disconnection so that's what I was saying I give you an example and I told you even if you have a teller connection when the activity is goes down you are having tailored session through active device and actually always goes down it will start going why are the standby device and there won't be a packet drop the tail light session will not get dropped the session will still remind no disconnection of traffic users so that's what they know the stateful synchronization means the stateful connection information that is synchronized with inactive and standby unit include the global pool address the MAC address the routing table all those things the status and connection and translation information meaning you're nodding your ACL everything gets synchronized TCP UDP status NAT table our table all these things are synchronized between the active device and standby device when we enable stateful synchronization or stateful failover but again I am telling you you need a separate command to do it so this diagram explains us how this trailer what happens you see inside we got some computers in 192 168 1.0 network and they are connected through a switch to both the firewalls and you got one diva is active the other device is standby how one becomes active and other became standby depends on your configuration when you go to the top of the top a SA and configure it as primer a free lower land unit primary command and you give the command free lower land unit primary that device becomes active and then the second is a below device we will save fail over land unit secondary so that takes the role of standby so now when the active goes down the standby will become active all the traffic will go through this one when the active comes back this will still remain active and this will go standby by default but there is an option called preemption when you enable preemption the active as long as active is alive this will remain active when you go when active goes down the standby will become active but when active comes back again when an active comes back again Act II will retain its position active will become active again but it is not by default you need to enable wot preemption preempt now this is the link which will update the status between themselves how standby device knows that active is going down this link through this link through this link standby link will know that active has gone down because they keep pinging they simply keep sending the keepalive messages when the active is not responding standby becomes the active it is all because of this failover link now the same link can also be used for synchronizing these two device or you can also have a separate link one for failover another first-rate full now what is the main requirement for you to help this active active active standby failover so what is the basic regular meaning we cannot we cannot take two different AAS a series and from appearing this is the main concern both must be of same platform model if it is 55 20 55 30 both should be 55 30 and then how the configuration also need to be same meaning the number of interfaces the bandwidth supported on the interface all those need to be same not only there they need to be in same operating mode what is that operating mode we will be dealing with three different types of operating mode the default mode is single mode so both can be single mode or both can be transparent mode or both can be multi context mode but one cannot be a single mode and another cannot be in a multi context both the device should have more same mode that is that is what our next copy is going to be the transparent firewall we'll talk about that in the next class must have the same amount of flash and RAM that is mandatory flashlights must be same on both licensed feature also should be same alright so if it is a 55 10 or 55 12 X you must have security plus license or both the device alright so these are all the basic requirements now what is that link that was connected between the pair's they say pin or pairs we called as failover link why do we need this failover link its to detect the failover between these two appliance fail if one fair one appliance face the other other appliance will come to know only when we have this link not only that the same link can be configured to provide the stateful synchronization between this two firewall so for the failover link you need a dedicated Ethernet interface and for the stateful you need a separate dedicated interface recommended in case if you want to use both failover link as well as stateful link you can do it nothing wrong in it so this link can be a cross cable or straight over cable that doesn't matter but when we connect through a when we are doing this lab in gns3 environment you need to connect through a switch in the real world you can have a cross cable or straight cable connector back-to-back directly between these two appliance which body will connect any port any port that will be configured for failover link in CLI any available pod can be used but when you configure make sure you give the same port name here G 0 / 2 is what uses a failover link and one more thing is very important is if I connect t0 to to a failover link on the other side also it should be g0 to when you want G 0 1 here as inside it should be the same G 0 1 that connects to the inside LAN you cannot change this number on both the device outside here G 0 0 means hero's it should be G 0 0 it should be the same there are basic knowledge comments and another thing is the veil our link should be at least under make speed full duplex interface okay this shows you know the steps how to configure first select one of the device as a clear device and put all the necessary kind of configuration of it don't connect the standby device on the active device interface make sure you have a list under make speed full duplex and then port for us if it is needed configure port fast where to the interface on the switches so this will just interface need to be taught first enabled otherwise what will happen look me a cut not always make support first mayor should be enabled the reason is we are configuring one is that clear another is ten by and it is considered as the connection to a host not to a switch and then configuration you know you need to define what interface you're going to use for failover purpose in our case interface 0 G 0 / 2 and then you need to provide the IP address of the interface along with a standby IP address and I can't figure you'll understand this better what I'm coming to say is you won't do any configuration for this interface in this interface on the standby switch on the AC active device you put an IP address for this interface as well as their standby interface inside and you'll put an IP address for this interface as well as a stand by my appearance for this interval Ursula's for this interface failover so every IP era's you can fear only here but when they find the mate when they discover the mate they put the standby IP address automatically in this device which is elected as the configured as a standby device so this is the command that we use on the activity-wise we say free lower land unit primary of the stand by the ways we say secondary and then we say failover land interface give any name and E or G 0 / 2 give any name here use the same name and you say that I want to use the same interface for stateful for stateful the command is free lower link same name eg is G 0 / 2 if you got different interface then you give different interface name and different names to identify them and then provide the IP address for that failure interface failover interface IP same name that you gave the IP address mask and then the standby command and then the standby IP address at last you give the command failover to enable failover you will do almost the same on these standby device so here is an example for a tedious configuration first of all go inside the interface and say no shutdown and then come out I'm in the global mode failover learning it primary means this is the RT device fail over LAN interface this is a name that I have given it can be needing I'm saying for failover for the keepalive I want to use gig 0 / to fail our link means you know for statefulness I would like to use the same interface and this is the IP address failover interface IP trail over on that TD wise this IP address on the standby device this IP address enables it only difference that you will do on the standby devices secondary all the rest of the come Racine and then on the primary device you need to configure IP r us for the inside and outside interfaces but not just the IP address and subnet mask you also need to provide the IP address that will be used on the sub send by device but this you need to configure on the active device itself usuals you will not you will not configure IP address or you will not configure name a for security level on the standby device you do it only on the active device but make sure you say no shutdown on every standby device interface no she don't should be given on standby device all the configuration goes on the active device now you can also use this command see we have a si so far we were talking like if they say one goes down is it will become active they say one did not go or down let's assume this link goes down even now I want to send the traffic via a AC to Y the link from the a si to the internet is going down if that is so then you need to use this command monitor interface outside this name is outside so your monitor the inter interface if that interface goes down immediately the other will become active or if you want to say I find inside interface goes down I want to failover then you say the command monitor interface inside by default only when the a si itself goes down the feel over will happen but if you want to do failover even if the interface goes down you can mention it what interface both means you can say it inside separately outside separately so I configure of the standby device as I told you only one command will be different that is phrase over LAN units again right even the IPOs everything will be remaining the same as you can figure there so you can mostly cut and paste only by changing this IP address that's it after you do that when you reboot the standby device you will see if they will be sending some message to the pair to the mate once the Met is discovered they get synchronized then you save the configuration so this is how the verification command will look like so failure what I'm typing this command on the active device it says this is a primary device and it's active so failover stateful state it shows when the failure would happen at what time it has happened so for every stray will show you very clearly with the dates and time all right so failover is nothing but providing redundant firewalls where one is active and another risk and by which is popular active active I can also be done but for that you need to learn the next topic called multi context that is our next topic without knowing multi context you cannot do active active failover so in the next class what we are going to do is we are going to do a lab on the sub interface the VLAN as well as the failover is there any question on a safe a lower turn for the stand by what type it is to be given to the interfaces nothing you will not give anything on the interfaces inside on the outside you will say only no shutdown on the stable lab we wrote inauguration yeah in the sand by the way the only configuration that you will do is this one and this also is the same IP address that you gave on the active device the same IP receive 99.1 comes first 99 the two comes later you say one here 99 that one comes first and 99 2 2 comes later right it's the same thing not that not yeah writing that one comes first 90 9.2 comes later only here the command will be secondary but on that T device you will also configure inside and outside interface on the at T device and in the active device inside itself we will give the IPS for the standby inside so you need not to configure there on the standby device so when the active goes down the active IP one 1.19 is be taken by that standby active device okay this address is just for you know to say that there is an identification was standby that's it so this 192 168 1 dot 2 is no way going to be used for your traffic therefore their management when active in standby device become active it is going to claim this first after is 1 9 2 1 6 8 1.1 as an insider outs address ok ok when I do this lab and show you the output you will understand this better right any other question [Music]
Info
Channel: Jayachandran
Views: 3,941
Rating: undefined out of 5
Keywords: ASA, Firewall, cisco, networking, online, training, jayachandran, sathiyan
Id: S0sqaGvlUyw
Channel Id: undefined
Length: 36min 24sec (2184 seconds)
Published: Wed Jul 19 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.