Configuring Multiple Context FWSM Failover

This section for multiple context mode goes through Active/Active mode of configuring FWSM. The two FWSMs are present in two different chassis. The spanning tree of the VLAN representing the active firewall context should be represented in the same switch. The HSRP VIP for the VLAN should also be represented in the same switch. If the HSRP Spanning Tree Protocol (STP) root follows the placement of primary context, this will reduce the traffic that passes between the two chassis. In this way, the traffic that enters the switch has active context FWSM and leaves through the same switch. The route statements will be similar to the description in single context mode covered in the previous section. The only difference is that the routes will be mentioned based on the context of the firewall.

Figure 12-5 shows an example of Active/Active context using failover groups. Here, both the FWSMs are actively passing traffic for the respective contexts.

Cat6k1 SUP 720 and FWSM Primary Context A Secondary Context B

Context A

Outside VLAN 9 at Primary FWSM 11.1.1.10 and Secondary FWSM 11.1.1.11 Inside VLAN 10 at Primary FWSM 172.1.1.12and Secondary FWSM 172.1.1.13 Context B

Outside VLAN 50 at Primary FWSM 11.2.2.10 and Secondary FWSM 11.2.2.11 Inside VLAN 51 at Primary FWSM 172.2.2.12 and Secondary FWSM 172.2.2.13

Cat6k1 SUP 720 and FWSM Primary Context A Secondary Context B

Cat6k2 SUP 720 and FWSM Secondary Context A Primary Context B

5"

NOTE The configuration for failover for routed mode or transparent mode is the same except for the way the VLANs are defined in the transparent mode. The failover configuration must allow BPDUs through the FWSM, which can be done using an EtherType access list.

Example 12-4 shows the multiple context failover configuration for the primary FWSM. Refer to the topology shown in Figure 12-5.

Example 12-4 Primary FWSM System Configuration

FWSM# show run : Saved

resource acl-partition 12 hostname FWSM

enable password 8Ry2YjIyt7RRXU24 encrypted !

interface Vlan9 !

interface Vlan10

! VLAN 30 represents a failover link interface Vlan30

description LAN Failover Interface ! VLAN 31 represents State link interface Vlan31

description STATE Failover Interface !

interface Vlan50 !

interface Vlan51 !

passwd 2KFQnbNIdI.2KYOU encrypted class default limit-resource IPSec 5 limit-resource Mac-addresses 65535 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 limit-resource All 0!ftp mode passive pager lines 24 ! Configure failover failover

! configure unit as a primary FWSM failover lan unit primary

! VLAN 30 is configured as a failover link and VLAN 31 as a state link failover lan interface fover Vlan30 failover replication http

Example 12-4 Primary FWSM System Configuration (Continued) failover link flink Vlan31

! configure IP addresses for the interfaces for failover and state link. ! These VLANS should be trunked in the switch between the two chassis failover interface ip fover 192.168.1.1 255.255.255.0 standby 192.168.1.2 failover interface ip flink 192.168.2.1 255.255.255.0 standby 192.168.2.2 ! Active/Active mode introduces the concept of failover group. Each failover group ! has properties attached per context or attached to multiples contexts. In this ! case,there are two contexts.

! The failover group 1 is active in the primary unit and the failover group 2 ! is active in the secondary unit failover group 1 preempt replication http failover group 2 secondary preempt replication http no asdm history enable arp timeout 12400 console timeout 0

admin-context admin context admin allocate-interface Vlan10 allocate-interface Vlan9

config-url disk:/admin.cfg !

! contexta is attached to failover group 1 context contexta allocate-interface Vlan10 allocate-interface Vlan9 config-url disk:/contexta.cfg join-failover-group 1 !

! contextb is attached to failover group 2 context contextb allocate-interface Vlan50 allocate-interface Vlan51 config-url disk:/contextb.cfg join-failover-group 2 !

prompt hostname context

Cryptochecksum:3499722301e9febd9f25ced03d4bec32 : end

It is necessary to configure the secondary FWSM to identify the failover link and state link, as demonstrated in Example 12-5. The secondary FWSM obtains the context configurations from the primary FWSM when failover is enabled. The preempt command in the failover group configurations cause the failover groups to become active on their designated unit after the configurations have been synchronized and the preempt delay has passed. Make sure these VLANs are defined in the switch and allowed in the trunk.

Example 12-5 Configuring the System Context of the Secondary FWSM

failover

failover

lan unit secondary

failover

lan interface fover Vlan30

failover

replication http

failover

link flink Vlan31

failover

interface ip fover 192.168.1.1

255

255

255.Î

standby

192

168.1.2

failover

interface ip flink 192.168.2.1

255

255

255.Î

standby

192

168.2.2

Example 12-6 gives a snapshot of the commands needed to configure context A in the primary FWSM, from the show running-config output.

Example 12-6 Active Context A Configuration (Primary FWSM)

interface Vlan9 nameif outside security-level 0

ip address 11.1.1.12 255.255.255.0 standby 11.1.1.13 !

interface Vlan10 nameif inside security-level 100

ip address 172.1.1.12 255.255.255.0 standby 172.1.1.13 !

access-list 100 extended permit ip any any pager lines 24

mtu outside 1500

mtu inside 1500

monitor-interface outside monitor-interface inside icmp permit any outside icmp permit any inside global (outside) 1 11.1.1.0 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 access-group 100 in interface outside access-group 100 out interface outside access-group 100 in interface inside access-group 100 out interface inside route outside 0.0.0.0 0.0.0.0 11.1.1.3 1

Example 12-7 gives a snapshot of the commands needed to configure context B in the secondary FWSM, from the show running-config command output.

Example 12-7 Active Context B Configuration (Secondary FWSM)

interface Vlan50 nameif inside security-level 100

ip address 172.2.2.10 255.255.255.0 standby 172.2.2.11

Example 12-7 Active Context B Configuration (Secondary FWSM) (Continued) !

interface Vlan51 nameif outside security-level 0

ip address 11.2.2.10 255.255.255.0 standby 11.2.2.11

passwd 2KFQnbNIdI.2KYOU encrypted access-list 100 extended permit ip any any access-list 101 extended permit ip any any pager lines 24

mtu inside 1500

mtu outside 1500

monitor-interface inside monitor-interface outside icmp permit any inside icmp permit any outside no asdm history enable arp timeout 12400

global (outside) 1 11.2.2.0 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 access-group 101 in interface inside access-group 101 out interface inside access-group 101 in interface outside access-group 101 out interface outside route outside 0.0.0.0 0.0.0.0 11.2.2.3 1

Use the show failover command to verify the failover in each context. The "Configuring Multiple Context FWSM Failover" section shows Active/Active context configuration. The 3.x code supports Active/Active features. The example shows configurations of failover groups and how they are attached to each context. The failover group gives distinct failover characteristics to each context. This helps achieve Active/Active configurations for multiple context mode and use both the FWSM units.

Was this article helpful?

0 0

Post a comment