Multi context with Active Standby - Active Active failover on ASA 8.4

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right active standby failover we start with that you stand by and then we will get into active active where we need multi context so first of all active standby no multi context enable force the command to check whether it is in a single mode or multi mode show mode seed is in a multi mode whatever what is a single mode so mode single similarly on a si - I'll do the same mode single my S is a rebooting meanwhile I would like to show you what I have done on where router 1 row 2 + Row 2 3 show IP interface brief see this is the IP errors that I have a sign on counter 1 and it has also gotten loopback interface of 1 1 1 1 sure I peer out I got a static route through static routes route and I'm going to remove this now and enable a routing protocol okay so anything adding protocol what protocol you would like to run repower a GRE you're comfortable with the AARP okay an outer TIG RP autonomous system number Network 10.0.0.0 network 1 dot 0 dot 0 dot 0 episode no water somebody exit show IP e IG RP interfaces so these are the two interface that EA is running good symbol 1 R to show IP interface brief these are the two IP errors that I got on the interface and show IP route I got some default route I'm going to remove no IP route any network any subnet mask one ninety two dot one dot twenty 2.10 I remove this similarly from r3 I'll remove sure IP interface brief these are the two interfaces only one interface let me also have interface interface Lubeck 0 IP address 3.39 3.3 to show show IP route I got a default that I'm going to remove it no IP route any network any subnet mask one ninety two dot one dot 30 dot of T okay so enabling the HRP here router network one ninety two dot one dot 30.0 network three dot 0 dot 0 noticeable so ERP is running on r3 right so even sharp is running on all those three routers USA is also ready to use let us check the mode first of all show mode Singapore ready to use let's start first of all hosting I would like to give you first name as a si what is the command to check whether it is in a transfer mode or now routed let us also check the door to be on a civil side let us see the name of interfaces so names are g1 here g2 g3 is for failovers g4 is connecting to g4 is collecting to our 3G one is correct Dez is connecting to a part of this website so G 1 is inside G 0 and G for an outside so I'd love to call this as outside one and r3 is outside too so it's like talking all right now what is next for the snakes interphase g1 no name if inside IP address 10.11 dot 11.10 zero interface G 0 name it out one IP address 192 dot one dot 20 dot 10 no shut interface G for no name is out to IP address 192 dot 1.30 dot 10 okay IP address is assigned and security levels are default for inside it is 100 for the rest it is 0 show name if I can see that here one is in inside for is in outside two zeros in outside one show interface IP brief every IP address is on place so if this is true then I should bring the adjacent device this pinging it is pinging this is the router one thingy you know once pinging what is next instead of static you know we are not having multi context of we run as routing protocol router TIG RP autonomous system number network one ninety two dot one dot 20.0 likewise Network 30.0 likewise another network ten what I am expecting this I am expecting from our world I should see routes to reach 2 2 2 & 3 3 3 which is coming from two different outsider outside two has got three three three outside one has got two two two so I'm able to learn 2 2 2 s 3 D 3 policy without writing an access list in from right-hand side I want to think without writing in ACF I want to ping from R 1 to R 2 and R 3 you see so I'm able to think through the source of I am able to keep what is next I'm going to use g2 as a heartbeat the interface that is going to check the status of the group member to our group member g3 I'm using first hatefulness let's our plan you see I use the same interface on the other side if I am if I'm a using g2 per heartbeat I'm using same G to her if I'm counting to outside 1gz no I'm counting here also to outside on g0 if I can't imagine for outside to here or sometimes you do for for outside too can you see that it should be a same replica you cannot simply have any any interface to any of any outside device if you use G food here on a si one to correct outside to make sure we also be D you can also reach from G photo outside to G 0 if you are painting to outside one on birthdays it should be G 0 only if you really do you want to connect inside on one a si it should be also another AC creating inside only then your fader works why whatever you have in those interfaces they are going to copy get copied here when they copying if they are not indifferent they are not in same interface then we cannot reach these sorters say when they are going to make this one copies IP address of g0 where it gets copied it is copied to g0 this USA so you should put on Drive interface ok so now we are going to do stateful failover sorry first stateless then we I am doing separate separate I want you to know which command is used word statefulness right so that the camembert's like this fail over land unit primary this is to say which unit will be axiom initially initially which you didn't want to make it as active this one so i say failure land unit primary this is to make a firewall to act you to be active initially in the initial stage failure lan interface IP address strain over lan interface give a name for this interface i would like to give fail over you know me it's an image for each interface for 4g to i'm using i'm good ug to do is form heartbeat then next one failure where IP forward for the failure interface failover interface IP see if the and then it gives me old next good idea that I want to give I want to be tender tender tender 1/10 or 10.10 dot 1 to 5 5 to 5 in our zero standby address so that is that I'm going to type will be used by standby device to communicate so 10.10 dot dot to that status I would like to be first hand by okay this is dead what do you this much is needed first stateless key let me say 1 2 3 is optional why do you try to find to the company but the partner is not ready let us make it very enable 1050 interphase g1 no shirt interface g0 no shirt interface g2 no shirt interface g3 no shirt g4 whether you take no for G 1 G 0 g4 or not you make sure you tell for G tube this is good copy no shut that so you get copied to do this then I am so I tell you you need to say motion then only release I have also done better that way also it works so this is not mandatory for G 1 G 0 G 4 it is not mandatory so donations in to say no shut up anyway well is easy so I am doing it next is well just copy these commands and paste it here sure when failover copies come into a notepad see this is a security box so the password will not be even seen in training configuration in doubt also a password will be seen in terminal configuration unless you say service password encryption in order password will even in a normal now I'm going to make device a secondary and then the same interface the password is 1 2 3 I believe ok other things are saying I'll copy this and paste it on the otherwise see other guys have even it doesn't have even the hostname nothing except these comments right now what I'm going to do is one more thing I want to do go to these interfaces these three interfaces and gives time to address also just given shown interface IP brief we have just given the IP errors for the active device whatever the sample appearance of these interfaces standby device IP address for this interface is needed so good backups again g0 IP address sorry yeah correct IP address chased you down 255.255.255.0 standby address I would like to have 11 this is first time by device g0 interface everything you config on active device only since you booked this as primary this is going to go active first time you can see this active phase the standard OS becomes active you mean secondary device becomes active if you are planning to do some change you do only on the active device even if it is secondary you only are those only on the device that is active you can do any changes even with the secondary you can do it innocent alright next interphase g1 IP address 10.10 dr. dot 10250 are too powerful to prefer have zeros ten by ten dot eleventh out 11.11 g1 is done g0 stand g4 is the only one left the g3 don't worry about g3 we have not gone to g3 g3 is first stateful we didn't we are not using now g4 IP address o 92.1 dot 30 dot 10 to fulfill a to 1500 stand by 11 alright only one command left now failover shall I thought that I am ready on both the device fail over and we hit enter now why don't you go fail over shopping or become it does not even started till I say no on here show it take some time I think I didn't say no shut down here show run show interface IP brief you see interface g3g - no shut g3 no shuttle ok now you're going to see what all beam okay the other one says we have to begin the configuration replication from mate don't see this one you know in some time it will be alright now just now they started talking end of the configuration okay this is stateless right this is stateless that's why I didn't see much thing being shared with these two people show failed over this is yes this is the other this is the primary one and that team I'm a second one and standby Sivas got the IP address now did we configure these IPS we can figure out the active device Oh si what memory device this interfere suffer a say one and this you know the hostname has got changed now you see the interface sure sure interface IP brief do you see the IP address that you are saying there you are saying these IPS there as sandbag and this has got already assigned you to the physical interface of this device ultimately that is why it is very important for you to put the interface exactly as it is there on the primary device active device zero if it is connected outside won't make sure you connect to outside one even here so this is the one you don't see any stateful information look at this tape for funeral logical update statistics it is not configured the link is not configured you need a separate link for sharing the statefulness g3 is not a configure is not configured since the link is not configured statefulness did happen now show IP sir show proud I don't see the route line through the routing protocol because no statefulness but I see the out in a si one you see sure sure I see me a say one but I don't see any AC to not only that I'm going to turn it from r1 to r2 flying vty 0 for password 1 2 3 I'm going to tell it from a 1 telnet to recruit a 2 a 2 with the source of glue back 0 1 2 3 is a password now let us go to the ACE a 1 and check the connection show connection it says traffic coming from outside should be allowed to inside if this be the total port number if this BD sir if this be the source port number and if a speedy destination port number statefulness we don't see here a show correction you don't see that here in state less not stateful so in this movement if a a say goes down the telnet session goes down let us make it stateful how do I get stateful first of all you say no failure where and the failure is running not do any configuration no freedom okay okay so you need to really disabled and a standby device when you disable an active device automatically standby device we get disabled now let us write the command for the failure link failover link the command goes like this fellow early which thing I would like to come okay so what name I want to give stage for failover any name I'm just giving SS s itself what is the link that I would like to use g3 yes g3 is the link that I am going to use for failure next failure well interface IP for SFF since I'm using separate interference I need to do this if you the same interface I need to do this if you the same g2 then same interface GT will be used for both heartbeat as well as the statefulness now since I used separate interface for failure will income and I'm doing this fellow in today's IP stateful failover address is 10.20 dot 20.1 255.255.255.0 and then the standby addresses 10.20 dot 20 dot that's all just two lights defined the Internet's with an image and then give IPS for the time interface and make sure g3 snapshot done interface g3 okay now stateful finger one is ready look already the stability session is there telnet session is there on other it is there already now I am going to add a c1 and say feed over rain over heat no failover why you're not I also need to copy these two line of commands in the phone or device standard amazing this command to come and I also need to pass it on the other device type feel hate hate okay detective an active made beginning configuration replication look at this configuration replication happens here okay end of configuration replication things things have happened here it says enough configuration replication that now let us go to a si - and check the connection show connection I seen it sure out I seen it actives and I need statefulness it's not activate the IP of qubits than you need multiple contexts one will be active for one context and stand before the other one the other will be active for the other one and send the forgive us for what we did in city now show standby sorry show failover now I see you know stateful has been enabled on g3 and this is the name we gave for the g3 right a second this is the main begin and it is up and replication has happened see our table even two informations are copied this copy okay so this is acting standby state fulfill you we saw statements as real estate food now what I'm going to do is I'm going to clear country hall what will happen if I type this here it does clear completely see but if I do only say one that that would be more good because it's that lead us clear config then now I'm going to make the modus multiple you will have activated failover mode multiple multiple context configuration so context see there is a deeper contact called admin context what if this context is not there I need to create so let us say assume you know there is no context no context admin someone W editor show context cannot be deleted I'll tell it enough so I deleted the admin context I went to the 0 hat again enough show context oh my god the scenery is what you'll see in exam so I'm making creating that scenario without in admin context show context as if it is not there how to configure good admin context admin this is to create the admin context and then to get into that main context as usual context admin and then configure our own admin dot CFG it will by default save it to disk 0 only so you need not to mention slash another so if admin context is not there you use this comment if you have doubt you go to the other MSA which hasn't been context type Shorin from there you copy it based see when you type sure and you see that admin context copy this from the other device and paste it from the device that does not have it all right next let me give a hostname si si on a is a 2 or so it's a fresh device okay so AC - I'm not going to do anything they say one I'm going to create context before the interface G 0 no G 1 no G - no c3 no exit next contextual creating context context what name we will give c1 c2 c1 let me have it lowercase C one its case in city wherever you call this it should be in same case what is next I want to put to interpret as a member G 1 and G 0 sled what's the command I want to make member slices I located so I'm just I'm just trying to confuse you with the word member again member number so we will try to say member interface member is for each into for what context interphase g1 I located interface to g0 I would give a last name for this without one this name you know to match with the interface member they were going to say we've got a match really name if you fire outside it need not to match really just allies for g0 next is the reigning term is needed no for context one no so config URL c1 dot CFG the see the c1 to c1 this V not even really match with this context name is not like I'm just matching so that for us to know in case if they specify a special location only them you need to mention so showing yesterday if they will mention you like disk 0 instead busy reduce the two or something how you do as we did yesterday the default is this the 0 in France next context see to allocate interface II one g1 allocate interface G 4G phone is going to be what out to so I'm giving me how to do Alice 4G for next country you wanna see two dot seems right now what is next hello will come later in the finish contexts change to context see one sure interface IP brief I got this new interfaces interface g1 is now shut 3 not again it is done in the root IP address is 10.11 dot 11.10 255.255.255.0 I mean example address now itself anyway we are going to do feel overnight in stop giving later and giving ourselves the standby address for this will be 10 dot 11.11 dot 110 is that ok 110 stand back this will be 110 I'm not doing 11 why you know it's a context tool g1 is going to have a lemon for context to do so here I'm using 10 for context one for context to it is going to be next inside interface name if outside ever giving outside one outside too because these two devices are going to be different context is outside for me that so there is no episode 2 for this context g0 is outside view is help side R 2 is outside for g4 that is context stories outside are three subsets so outside IP address will be one ninety two dot one dot 20 dot ten twenty five five two five five two five five zero standby doses one ninety two dot one dot twenty dot 11 next that's all sure run doctor I'm sure interface IP brief yes when I say I write to memory I'm writing only for context one here and you go to system observable next is what show name is inside this and road outside you see next sure IP route this has no idea about 1 1 1 and 2 2 2 which is there on r1 and r2 behind and you cannot run the routing protocol see because no command called router routing protocol so light is static route route inside 1.0.0 dot 0 to 5 0 to 0 because you're logically dividing the interface into to this UDP now looking at work it is the same reason why you cannot white inverse and cannot allow it a static umbrella map for being only more something like the static frame relay map then you have a subrogee phase change to me the default sack cannot identify and discover neighbors from context to am pinging 1 a 2 a 1 dot 30.3 will be able to ping yes because you got a study out from here 3 or 3 or 3 or 3 is also possible similar from context one bring to that to that for two you are able to ping now what is next so ICMP the question is more precise and make sure you write the same thing so we're meeting traffic SRAM host let us say through a tool a tool a tool to host so only when you bring with the source of the axis drew out - in in interphase outside the reason is I have deleted these static routes that which was there on Rt can even the because we were writing and putting those static ropes okay I was having a default route here I'm putting it back likewise an r3 also I was having a default route putting it back on r1 also I was having some default route what happened you know my telnet session good we got one back now show IP route there is no route for reaching oh we got route to be do we have yes yes we do it and signal I will also write route for IP route to Radford our two two five five two five zero two five zero two four five send the traffic to context one IP route three got three at three got three 255.255.255.0 five since the packet or context all right yes thing should have to go to a to be the source of one one one one you are able to be sure be sure before that in context one I have written ICMP from to do to the fit is responding from toe to toe first one manone should be allowed on the outside interface perfect telegin see telnet to be the source interface Liu bang 0 if telnet is the route is their route problem some route problem please seduce me and solution the solution I have a shot with the aesthetics if you know the solution why am I not able to MAC address problem because that Jeevan is shared see web map problem two solutions we got MAC address or two on the system board on a a say one hour go to the context and give the back at the strategy let us use auto now change to system MAC address auto now if I bring it the team also will be successful tell it also would be successful yet so sorry now we'll be able to bring two or three no be able to know on context to they have not allowed ICMP or we have not inspected ICMP that is discussed on context one you should write an ACL to permit I seen beyond context of eternity in a solution for medicine so as you all know I'm sure one I do and I'll copy this default one default policy global policy map and I say inspect ICMP that's it now from r1 if I ping three three three three yes I will be 1 2 3 3 . 3.33 with the source of go back 0 multimode is done failover last section very simple on the system or global system role once the command to go to the system what changed sister this change to system if you type you're going to the base same command failed over LAN you need primary interface give a name say over what interface I want to use g2 next same interface IP address forgot for failover interface the IP address is going to be 10.10.5.3 firefighter to fulfill a - - at zero san where does is 10.10.5.3 optional you can say failover password one two three next is for statefulness link give a name is a stateful failure where each g3 interface IP stateful failover the IP address will be 10.25 20.1 255.255.255.0 10 dot sorry standby 10.20 dot 20.2 now that is left because it is multiple contacts something more need to be done what is the name context Ram should be active on a say 1 and standby on a c-1 sorry contacts tool should be sent back on a c-1 and the sa-2 should be active for context to stand before context about for that configuration grows like this group Group one is primary easy where is the primary common primary by default preemption is not enabled you make enable preemption only then which another device you want to be acting for contacts from will be active when it comes back after blowing them preemption is anything portable next standby to secondary not strain by secondary preemption every configuration goes only on the active device a so you don't do all this thing you say - exactly as you desire okay next takes to see one please do not go to change to contacts even confused getting to context see one and say joy federal group you want context on to be active on you want mine right now so you say this one here a context see - because this device I want this to be secondary which is already defined under failover group command next only one command miss leftist failover before that let us go and check whether si 2 has no shutdown on every interface interface e8 is g0 no shut g1 load shut intervals g2 no shock interface g3 no shirt interface chief is there any other in order down the pizza right now I'm going to copy these comments from here sure and over these comments all these commands to the notepad these commands are not needed these commands are not needed only these comments I'll pick this one too and not that I'll copy and here the password is 1 2 3 D degree 1 2 3 I believe it is one two three secondary rest are same copy and paste it on easy to enter enter no response from made switch to activity so this was become active active because I sa 2 is not responding Singh sure failover because the other one is not active let us say why it is not coming up this has become active the other device have failed as a status failed so this is waiting for the other device to come and they just declared itself as active active and don't worry preemption we have enabled the moment this comes up scenery will get changed sometimes it may take some time interface see - no shirt no shirt cheats me no shirt sure and failover you need stake in the ring what is the password we gave really here the future one more time no failure so nothing done here no not necessary because this this doesn't know anything about context those things should be pushed once in let us try fail failover f over debug f well switch sings and sings and sings and debug F oh come on stop oh my god is not getting stopped I stopped debug long back it is not getting stopped no response from the mate sure interface IP brief perfect it is God that does but just reloaded everything got copy to AC - all right since we are overriding the same agreement again ESA cuts done now you see your group and detected a teammate and a si two-seater it says you know deducted active made for group to means you know forego to the neighbor is the ultimate good this guy is the active so if you see sure it says this host is primary for a good one I'm standby for two whereas the other device the secondary and which is acting for group two but stand by for group one this is what we were expecting now similarly on a si 2 if you see it shows standby come on sure-sure failover you see here this is a secondary device an active for Brooklyn and the other device is a primary device patty for group one well what if they say one goes down this will become active for both the groups but still it will be a secondary our primary device primary device goes down secondary device becomes active for both the context what will be will be a primary or secondary device now it will remain secondary secondary you and active has no connection that is for initially to design take later that has no better okay so that's it is now let us try changing that we were doing before what about the telnet route problem let's check the routing table of AEC to show route what's the command to see your outing table should we get into the context change to context change the context see one sure there is no route for context one change to context - I should see route - noroc what happened I not learned any notes change to context see one sure Salo it happen that's okay but all the configuration that we did or now the guys have got the IP address configuration interface IP brief no I Peters device which is active for c1s a one-hour here see - I should confuse only on AC - so I go under interface out one IP address is one ninety two dot one dot twenty dot ten to five two five two five zero standby addresses what's one ninety two dot one dot twenty got eleven no shirt name if his name is outside okay interphase g1 name if inside IP addresses 10.11 dot 11.10 you for failure to fulfill to the farad zero stand bed resistant got 11.11 dot 110 and then we wrote any ACL so let us write the ACL also now since I reloaded we are doing this again access list out - any firm extended are made ICMP any any house to be host host to retro retro retro since it is context one host access group out - pin in the interface and we also need to write a static route sorry yikes simulation it rights meetings that's so whenever you know that since it is not return to the real flash according to the three V that is that that is what we need is for now to exceed so loud inside 12.125 55.5 the traffic that one out outside 2.2.1 to send the traffic to one ninety two dot one dot 20.50 sure route we got this I should see now on ASE to also a sexual context context one I should see the mouths beautiful gotta clean it now if I pin from here bring tuna 2.02 with the source of 101 and able to Pina now he's acting who is forwarding si one is for ready let us finish a essay to context to to is acting on a c2 so what I'm doing on standby device do it on active device change to root system you see I show you show failover it says this is acting for not other one this host is active a group to so group who is contacts to change to context to this is very important change to see - sure future facial interface IP brief interphase g1 now shut name if inside IP address is 10.11 got 11.11 - failure to fulfill out of a period 2pi zero stand by his 10.11 don't live in that one one one okay what is next another into this interface out to the name how to how to name if outside and then IP address is one ninety two dot one dot thirty dot ten to fifty two point zero two five third zero standby one ninety two dot one dot thirty dot-111 is that right on three ready and address eleven let it be lemon next we need to either static route we're out inside 1.1 101 do you have favorite Oberto Oberto if I send the traffic to 10.11 Don Lemon dot what ground outside 3.00 3 to 5000 for tomorrow 205 send the traffic to one ninety two dot 1.30 dot this time gets copied no problem now from here method in inspect inspect i simpiy for context one beer OTC for the surfing reading policy MPF so now ping 3.3 or three and three the source of should be screwing the context on any say when I am expecting on context a to some routes context - I am expecting some Samrat show throughout yes whatever we wrote there it's got a bigoted so far so good you understood multi context fateful state

Info

Channel: Jayachandran

Views: 32,071

Rating: undefined out of 5

Keywords: ASA 8.4, Virtual Firewall, Active Active Failover, Active Standby Failover, Ccie, Multi-Context

Id: TI6KZCPKUzM

Channel Id: undefined

Length: 74min 45sec (4485 seconds)

Published: Tue Dec 10 2013