Asymmetric Routing Support in Active Active Mode

In Active/Active mode, the two FWSM units in failover state are active. This is achieved using multiple context mode. The active firewalls for the respective contexts are distributed between the two FWSM units in failover mode.

Consider a scenario where a packet flows through a single security rule set. When a need exists to have two desired paths, a redundant path can be designed using Active/Active redundancy and the ASR feature in the FWSM. The same rule set is applied in both contexts. ASR group is enabled in the interfaces of the two contexts. The firewall is configured to be in transparent mode.

For the network topology shown in Figure 17-6, the FWSMs are in Active/Active failover configuration.

Figure 17-6 FWSM and Asymmetric Routing Support Between Two Contexts in Active/Active Failover Mode

Cat6k-1 SUP720 with FWSM Primary for Context A, Transparent Mode Secondary for Context B, Transparent Mode

Figure 17-6 FWSM and Asymmetric Routing Support Between Two Contexts in Active/Active Failover Mode

Cat6k-2 SUP720 with FWSM Primary for Context B, Transparent Mode Secondary for Context A, Transparent Mode

The firewalls in both contexts are in transparent mode, and the security policies in both the contexts are the same. From the Layer 3 next hop in each security domain, there are two equal paths for routing adjacencies across the firewall through the two contexts. The traffic from the inside to outside security domain can flow through either context A or context B because the ASR feature is enabled on the interfaces of each security domain of both contexts. The dependence on state information is removed because of the ASR feature.

In this example, the packet from the inside to the outside security domain flows through Cat6k-1 context A. In the return path, the packet flows to context B in the Cat6k-2. The outside interfaces of the two contexts are in the same ASR group. After the packet arrives in context B, the outside interface of context B finds the session information in the outside interface of context A (because they are configured with the same ASR group), which is in the standby state on the unit. It then forwards the return traffic to the unit where context A is active.

Asymmetric routing concepts can also be extended to the single context mode. In this case, the packet leaves the FWSM interface in a security domain, and the return path will be in an interface of a different security domain. Note that both the interfaces will be in the same ASR group. The interfaces in the same ASR group will pass the packet from one interface to the other. However, in multiple context mode, the interfaces in the same security domain share the same ASR group.

In general, avoid asymmetric routing in a firewall design solution. The ASR feature is purely to protect issues such as link failovers. Note that even though state is shared between the Active and Standby firewalls periodically, it is possible to have race conditions, which could cause connections to be dropped.

Active/Active failover with ASR is a design advantage for parallel paths across firewalls with the same security rule sets. Care should be taken for Active/Active redundancy and the Layer 3 network symmetry. This depends on each environment, and limitations may arise based on individual scenarios.

Was this article helpful?

+1 0

Post a comment