Key points for configuring PIX dual-Machine failover

1, to find out about the "master" the "preparation" of several concepts:

Failover Link

Failover link is used to communicate each other's working status between devices, and the information passed on Failover link includes:

o Current status of the device (active and Standby)

O Power status (only based on dedicated failover cable)

o Hello packet (also sent via all other ports)

o The active device passes configuration to the standby device (called Configuration synchronization)

Failover link can use two kinds of media (form different Failover forms)

O This is recommended when you are based on a dedicated cable ("cable-based failover")-two devices with distances not exceeding 6 feet (about 1.83 meters). Because the device can perceive each other's power status through this cable, and can tell whether the device is powered down or not plugged in at all. The failover cable is an improved RS-232 serial cable (Kbps), one end labeled "Primary" to connect to the Primary device, and the other end labeled "secondary" to connect to the secondary device.

O Ethernet ("lan-based failover")-you can use any unused Ethernet port on your device, in this way when the two devices are more than 6 feet (about 1.83 meters) away. Note that this method must be connected through the switch (the recommended use of a separate switch), and not directly connected to the Ethernet port of the two machines through the crossover line.

The disadvantages of Ethernet based failover link include:

& #8226; When a power failure occurs, it takes longer to failover

& #8226; The configuration of the standby device needs to be set separately (in cable-based failover, the standby device can communicate with an active device without having to enable any port or IP address, and accept the entire configuration information from an active device. ）

& #8226; A switch between two devices for failover link becomes a fault point for another hardware

& #8226; Consuming Ethernet ports

The advantages of failover link based on Ethernet:

& #8226; The device can be 6 feet apart

& #8226; Configure synchronization faster

(In lan-based failover, if failover link is broken, other ports are automatically used to view the other state.) ）

Primary, secondary and active, Standby

The former is the physical concept, the latter is the logical concept.

The device that is currently responsible for forwarding network traffic is an active device and the other is a standby device.

In cable-based failover, the primary end of the cable is connected to the primary device; the secondary-side-connected Pix is called the sencondary device; in lan-based failover, The primary and Sencondary devices are set in the configuration file.

When both devices are started simultaneously and are in a healthy state, the primary device is an active device, and when the primary device fails, the failover event occurs and the Seconary device becomes an active device.

An active device always uses the active IP address and the MAC address of the primary device unless the following conditions occur;

o The secondary device becomes active, but the MAC address of the primary device cannot be obtained via failover link.

o The MAC address of the two devices is written to death in the configuration (using instructions: Failover MAC addresses).

2, general failover and full state failover

General Failover (Regular Failover): When a Failover event occurs, all currently active connections are discarded and the user needs to refresh the connection;

Full state Failover (Stateful Failover): The active device continuously sends the status information of the connection to the standby device when the two machines are working properly. When the failover event occurs, users can continue to communicate without reconnecting, because these connection state information is already available on the new active device. The status information passed by the device includes:

& #8226; Nat table

& #8226; TCP Connection Status

& #8226; H.323, SIP, MGCP UDP etc connection

State Link

In stateful failover, it is necessary to use an Ethernet connection (Ethernet link) to pass state information, and PIX can use the following Ethernet ports to set the states link:

& #8226; Fast Ethernet (100base-t) Full Duplex

& #8226; Gigabit Ethernet (GE) (1000base-t) Full Duplex

On the PIX 535 with GE ports, you must select the GE port configuration state link.

The state link port of both devices can be connected using a switch, but to avoid additional points of failure, it is recommended that you use a crossover line to connect the ports directly. In lan-based failover, we can set state link and failover link to use the same connection (recommended to use as many as two links), but you cannot use a crossover line at this point.

3, about configuring synchronization

# when the standby device completes initialization startup, the configuration is synchronized from the active device;

# Configuration synchronization only changes the Running-config, but does not save the configuration to the flash memory;

# instructions entered on an active device are immediately synchronized to the standby device;

# When you enter the Write memory command on an active device, the standby device also writes the configuration to the flash memory;

# The instructions entered on the standby device are not synchronized to the active device;

# If the startup-config of the two devices are different, the secondary devices will sync their running-config according to the running-config of the primary equipment after the equipment is started;

# When you enter the Write standby command on an active device, the standby device synchronizes the configuration from the active device;