Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Failover Configuration with Failover Cable

Failover Configuration with Failover Cable

Feb 15,2010 by alperen

small font medium font large font
image

Before configuring, make certain the two PIX Firewall units are identical, as discussed earlier, and the standby unit is powered off. The steps to configure failover with a failover cable are as follows:

  1. Set the clock on the active PIX Firewall unit using the clock set time command or using the Network Time Protocol (NTP) commands introduced in Chapter 18 for version 6.2 and newer.

  2. Connect the failover serial cable to the units. Make sure the end labeled “Primary” attaches to the primary unit and the end labeled “Secondary” connects to the secondary unit. Don’t power up the secondary unit.

  3. If stateful failover is planned, attach a crossover cable between the primary and secondary units for the network interfaces.

  4. Go to Configuration mode with the configure terminal command.

  5. Always specify the speed for the interface, such as 10baset for 10 Mbps or 100basetx for 100 Mbps. Don’t use the auto or the 1000auto option on any interface. Verify that the interface speed and duplex settings match any connected devices. Use the write terminal command to confirm the settings. For stateful failover, set the dedicated interface speed, using either the 100full or the 1000sxfull command. Set the link maximum transfer unit by using the mtu interface_name 1500 command. For PIX Firewall version 6.2, the MTU size must be at least 1,500 for the stateful failover link and at least 576 for the LAN-based failover link.

  6. Use the clear xlate command after changing the interface command.

  7. Use the ip address command to assign IP addresses to each interface. The following output shows examples of the commands so far.

  8. Use the failover command statement to enable the failover feature. The no failover command will disable the failover feature.

    The related failover active command on the standby unit triggers a failover switch, causing that unit to become the active unit. The no failover active command from the active unit triggers a failover switch to make the standby unit become the active unit. This command is used to force an active unit offline for maintenance and to return a updated unit to service.

    Pix# clock set 14:27:0 jun 1 2004
    Pix# config t
    Pix(config)# nameif ethernet2 intf2 sec50
    Pix(config)# ip address outside 10.1.1.1 255.255.255.0
    Pix(config)# ip address inside 192.168.1.1 255.255.255.0
    Pix(config)# ip address intf2 192.168.2.1 255.255.255.252
    Pix(config)# interface e0 100full
    Pix(config)# interface e1 100full
    Pix(config)# interface e2 100full
    Pix(config)# mtu intf2 1500
    Pix(config)# clear xlate
    Pix(config)# failover

  9. Use the show ip address command to see the addresses. The Current IP Addresses is the same as the System IP Addresses on the failover active unit.

    Pix(config)# show ip address
    System IP Addresses:
         ip address outside 10.1.1.1 255.255.255.0
         ip address inside 192.168.1.1 255.255.255.0
         ip address intf2 192.168.2.1 255.255.255.252
    Current IP Addresses:
         ip address outside 10.1.1.1 255.255.255.0
         ip address inside 192.168.1.1 255.255.255.0
         ip address intf2 192.168.2.1 255.255.255.252

  10. Use the show failover command to verify the failover feature by looking for the This host: primary - Active statement. You can see failover is on and the other unit isn’t powered up.

    Pix(config)# show failover
    Failover On
    Cable status: Other side powered off
    Reconnect timeout 0:00:00
    Poll frequency 15 seconds
        This host: primary - Active
                    Active time: 330 (sec)
                    Interface intf2 (192.168.2.1): Normal (Waiting)
                    Interface outside (10.1.1.1): Normal (Waiting)
                    Interface inside (192.168.1.1): Normal (Waiting)
        Other host: secondary - Standby
                    Active time: 0 (sec)
                    Interface intf2 (0.0.0.0): Unknown (Waiting)
                    Interface outside (0.0.0.0): Unknown (Waiting)
                    Interface inside (0.0.0.0): Unknown (Waiting)

    Interface flag

    Indicates

    Failed

    Interface has failed

    Link Down

    Interface line protocol is down

    Normal

    Interface is working correctly

    Shut Down

    Interface has been administratively shut down

    Unknown

    IP address isn’t configured for the interface, so it can’t determine the status

    Waiting

    Monitoring the other unit’s network interface hasn’t started yet

  11. Use the failover IP address int_name ip_addr command to define the standby unit’s interface addresses. The IP addresses for the standby unit are different from the active unit’s addresses, but in the same subnet for each interface. The standby unit needn’t be powered up for this command to work correctly.

    Without setting, the failover IP addresses failover won’t work, the show failover command will display 0.0.0.0 for the IP address, and monitoring of the interfaces will remain in the “waiting” state.

    Pix(config)# failover ip address inside 192.168.1.2
    Pix(config)# failover ip address outside 10.1.1.2
    Pix(config)# failover ip address intf2 192.168.2.2

    Pix(config)# show failover
    Failover On
    Cable status: Other side powered off
    Reconnect timeout 0:00:00
    Poll frequency 15 seconds
            This host: primary - Active
                    Active time: 740 (sec)
                    Interface intf2 (192.168.2.1): Normal (Waiting)
                    Interface outside (10.1.1.1): Normal (Waiting)
                    Interface inside (192.168.1.1): Normal (Waiting)
        Other host: secondary - Standby
                    Active time: 0 (sec)
                    Interface intf2 (192.168.2.2): Unknown (Waiting)
                    Interface outside (10.1.1.2): Unknown (Waiting)
                    Interface inside (192.168.1.2): Unknown (Waiting)

  12. Use the failover link [stateful_if_name] command to enable stateful failover. Use the no failover link command to disable the feature.

    Pix(config)# failover link intf2
    Pix(config)# show failover
    Failover On
    Cable status: Other side powered off
    Reconnect timeout 0:00:00
    Poll frequency 15 seconds
            This host: primary - Active
                    Active time: 740 (sec)
                    Interface intf2 (192.168.2.1): Normal (Waiting)
                    Interface outside (10.1.1.1): Normal (Waiting)
                    Interface inside (192.168.1.1): Normal (Waiting)
        Other host: secondary - Standby
                    Active time: 0 (sec)
                    Interface intf2 (192.168.2.2): Unknown (Waiting)
                    Interface outside (10.1.1.2): Unknown (Waiting)
                    Interface inside (192.168.1.2): Unknown (Waiting)

  13. 13. If necessary, use the failover poll seconds command to set a hello interval shorter than 15 seconds (range 3 to 15).

  14. Power up the secondary unit. The primary unit will detect it and start synchronizing the configurations. The messages “Sync Started” and “Sync Completed” will appear.

  15. If any other changes are made to the active unit configuration, use the write memory command to save the configuration and to synchronize the standby unit.


1349 times read

Related news
» PIX Failover Feature
by alperen posted on Feb 15,2010
» LAN-Based Failover Configuration
by alperen posted on Feb 15,2010
» Verifying Failover Configuration
by alperen posted on Feb 15,2010
» Understanding Failover
by alperen posted on Feb 15,2010
» Managing and Maintaining the PIX Firewall Review
by alperen posted on Feb 19,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.