1. Several Concepts about active/standby are clarified: FailoverLinkFailoverLink is used to communicate with each other's working status. The information transmitted on Failoverlink includes the current status (active and standby) of the o device) o Power status (available only based on the dedicated failover cable) oHello Information Package (also sent through all other ports) oAct
1. Several Concepts about Master/Slave are clarified: Failover Link is used to communicate with each other's working states. The information transmitted on Failover link includes: o Current Status of the device (active and standby) o Power status (only available based on the dedicated failover cable) o Hello information packet (also sent through all other ports) o Act
1. Find out several concepts about "master" and "slave:
Failover Link
Failover Link is used to communicate with each other about the working status. The information transmitted on Failover link includes:
O the current status of the device (active and standby)
O Power status (only available based on dedicated failover Cables)
O Hello Information Package (also sent through all other ports)
O Active devices send messages to Standby Devices
Configuration(Called
ConfigurationSynchronization)
Failover link can use two media types (different failover forms)
O this method is recommended when the distance between two dedicated cables ("cable-based failover") is no more than 6 feet (about 1.83 meters. The reason is that the device can detect the power status of the other Party through this cable, and identify whether the power cord is power-down or not. The Failover cable is an improved RS-232 serial cable (115 Kbps) with one end labeled "Primary" to connect to the primary device and the other end labeled "Secondary" to connect to the secondary device.
O based on Ethernet ("LAN-based failover")-You can use any unused Ethernet port on the device. When the distance between the two devices exceeds 6 feet (about 1.83 meters, please use this method. Note: This method must be connected through a vswitch (a separate vswitch is recommended), instead of connecting the two ethernet ports through a cross line.
Failover Link based on Ethernet has the following Disadvantages:
• It takes longer to failover when the power supply fails
• Standby Device
ConfigurationIn cable-based failover, the standby device can communicate with the active device without any enable port or IP address, and accept the entire
ConfigurationInformation .)
• The switch used for Failover Link between the two devices will become the fault point of another hardware
• Ethernet port occupation
Advantages of Ethernet-based Failover Link:
• Devices can be more than 6 feet apart
•
ConfigurationFast synchronization
(In LAN-based failover, if the Failover Link is disconnected, other ports are automatically used to view the peer status .)
Primary, Secondary, Active, Standby
The former is a physical concept, and the latter is a logical concept.
The device currently responsible for forwarding network traffic is an Active device, and the other is a Standby device.
In cable-based failover, the Primary end of the cable is connected to the Primary device; the PIX connected to the Secondary end is called the Sencondary device; in the LAN-based failover, the Primary and Sencondary devices are
ConfigurationFile.
When both devices start at the same time and are in a healthy state, the Primary device is an Active device. When the Primary device fails, a failover event occurs, and the Seconary device becomes an Active device.
The Active device always uses the Active IP address and the MAC address of the Primary device unless the following conditions occur;
The o Secondary device becomes active, but the MAC address of the Primary device cannot be obtained through the failover link.
O In
ConfigurationWrite the MAC address of the two devices to death (use command: failover mac address ).
2. Regular Failover and full-state Failover
Regular Failover (Regular Failover): In the event of a Failover event, all active connections are discarded. You need to refresh the connection;
Full-state Failover (Stateful Failover): When the dual-machine is working normally, the Active device continuously sends the connection status information to the standby device. When a failover event occurs, the connection status information is available on the new Active device, so you can continue communication without reconnecting. The status information transmitted by the device includes:
• NAT table
• TCP connection status
• Connections such as H.323, SIP, and MGCP UDP
State Link
In a full-state Failover, an Ethernet link must be used to transmit status information. The PIX can use the following Ethernet ports to set the state link:
• Fast Ethernet (100BASE-T) full duplex
• Gigabit Ethernet (GE) (1000BASE-T) full duplex
On the PIX 535 with GE port, You must select GE port
ConfigurationState link.
Although the state link ports of the two devices can be connected using vswitches, it is recommended to directly connect the ports using a crossover line to avoid extra fault points. In LAN-based failover, we can set the state link and Failover Link to use the same connection (we recommend that you use two links as much as possible), but do not use cross-line direct connection at this time.
3. About
ConfigurationSynchronization
# When the standby device completes initialization and startup, it will be synchronized from the active device
Configuration;
#
ConfigurationSynchronization only changes running-config, instead
ConfigurationStored in Flash memory;
# The commands entered on the Active device are immediately synchronized to the Standby device;
# When you enter the write memory command on the active device, the standby device will also
ConfigurationWrite Flash memory;
# The commands entered on the Standby device are not synchronized to the Active device;
# If the startup-config of the two devices is different, after the device is started, the Secondary device will synchronize its own running-config according to the running-config of the Primary device;
# When you enter the write standby command on the active device, the standby device synchronizes data from the active device.
Configuration;
4,
ConfigurationExample
Example 1 Cable-Based Failover Configuration
Interface ethernet0 100 full
Interface ethernet1 100 full
Interface ethernet2 shutdown
Interface ethernet3 100 full
Nameif ethernet0 outside security0
Nameif ethernet1 inside security100
Nameif ethernet3 state security20
Enable password farscape encrypted
Password crichton encrypted
Telnet 192.168.2.45 255.255.255.255.255
Hostname pixfirewall
Ip address outside 209.165.201.1 too many conditions
Ip address inside 192.168.2.1 255.255.255.0
Ip address state 192.168.253.1 255.255.255.252
Failover ip address outside 209.165.201.2
Failover ip address inside 192.168.2.2
Failover ip address state 192.168.253.2
Failover link state (note: the "State Link" described above is defined here ")
Failover
Global (outside) 1 209.165.201.3 netmask has been released successfully
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Static (inside, outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0
Access-list acl_out permit tcp any 209.165.201.5 eq 80
Access-group acl_out in interface outside
Route outside 0 0 209.165.201.4 1
Example 2 LAN-Based Failover Configuration
Primary device:
Interface ethernet0 100 full
Interface ethernet1 100 full
Interface ethernet2 100 full
Interface ethernet3 100 full
Nameif ethernet0 outside security0
Nameif ethernet1 inside security100
Nameif ethernet2 failover security10
Nameif ethernet3 state security20
Enable password farscape encrypted
Password crichton encrypted
Telnet 192.168.2.45 255.255.255.255.255
Hostname pixfirewall
Ip address outside 209.165.201.1 too many conditions
Ip address inside 192.168.2.1 255.255.255.0
Ip address failover 192.168.254.1 255.255.255.0
Ip address state 192.168.253.1 255.255.255.252
Failover ip address outside 209.165.201.2
Failover ip address inside 192.168.2.2
Failover ip address failover 192.168.254.2
Failover ip address state 192.168.253.2
Failover link state
Failover lan unit primary
Failover lan interface failover
Failover lan key 12345678
Failover lan enable
Failover
Global (outside) 1 209.165.201.3 netmask has been released successfully
Nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Static (inside, outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0
Access-list acl_out permit tcp any host 209.165.201.5 eq 80
Access-group acl_out in interface outside
Route outside 0 0 209.165.201.4 1
Secondary device:
Interface ethernet2 100 full
Nameif ethernet2 failover security10
Ip address failover 192.168.254.1 255.255.255.0
Failover ip address failover 192.168.254.2
Failover lan unit secondary
Failover lan interface failover
Failover lan key 12345678
Failover lan enable
Failover
The PIX selects an IP address based on its status. If it is an Active device, the ip address defined by ip address is used. If it is standby, the IP address defined by failover ip address is used.
Another way is to set the IP address of the failover to 0.0.0.0, for example:
Failover ip address outside 0.0.0.0
Failover ip address inside 0.0.0.0
Failover ip address state 0.0.0.0
In this way, the standby device is hidden.
In addition, the MAC address of the interface will also be switched, and the MAC address of Primary will always follow the active IP address. In this way, the external device will not observe any changes during failover.
