Wednesday, June 27, 2012

Configuring Active/Standby Failover in cisco ASA

























Failover provides redundancy between the appliances, so if one appliance fails, you can have a redundant appliance take over the failed one.  So most of the companies will implement the failover for network security and redundancy. 

Failover is a Cisco-proprietary feature unique to the security appliance. Failover provides redundancy between paired appliances: one appliance backs up another appliance.  This section will introduce failover concepts.


Failover implementations

There are two implementations that cisco supports for failover. 

Active/Standby
Active/Active

Active/ Standby

The active/standby implementation of failover needs two appliances: primary and Secondary. By default primary unit performs the active role, and the secondary the standby role. Only one appliance will process the traffic. If anything happened to the primary appliance, then the secondary appliance will take place the role of active.

The following is the configuration of Active/Standby failover in cisco ASA.




ASA1

Ciscoasa(config)#hostname   asa1
Asa1(config)#int e0/0
Asa1(config-if)#nameif   inside
Asa1(config-if)#ip add   192.168.2.1    255.255.255.0   standby   192.168.2.2
Asa1(config-if)#no shut

Asa1(config)#int e0/1
Asa1(config-if)#nameif   outside
Asa1(config-if)#ip add   192.168.1.1   255.255.255.0   standby   192.168.1.2
Asa1(config-if)#no shut

Asa1(config)#int e0/2
Asa1(config-if)#no shut
Asa1(config)#int e0/3
Asa1(config-if)#no shut
Asa1(config-if)#exit

Asa1(config)#failover   lan   unit   primary
Asa1(config)#failover   lan   interface   FOControl e0/2
Asa1(config)#failover   interface   ip   FOControl   192.168.20.1   255.255.255.0   standby   192.168.20.2
Asa1(config)#failover   link   FOState   e0/3
Asa1(config)#failover   interface   ip   FOState   192.168.21.1   255.255.255.0   standby   192.168.21.2
Asa1(config)#failover   key   cisco
Asa1(config)#failover   polltime   msec   200   holdtime   msec   800
Asa1(config)#


ASA2


ciscoasa(config)#hostname  asa2
Asa2(config)#int e0/0
Asa2(config-if)#no shut
Asa2(config-if)#int e0/1
Asa2(config-if)#no shut
Asa2(config-if)#int e0/2
Asa2(config-if)#no shut
Asa2(config-if)#int e0/3
Asa2(config-if)#no shut

Asa2(config)#failover   lan   unit   secondary
Asa2(config)#failover   key   cisco
Asa2(config)#failover   lan   interface   FOControl   e0/2
Asa2(config)#failover   interface   ip   FOControl   192.168.20.1   255.255.255.0   standby   192.168.20.2



To verify the failover is working or not…

Use the command   failover    in both appliances




Posted by at

3 comments:

  1. SouravAugust 31, 2013 at 11:45 PM

    Simple and Clear thanks a lot.

    ReplyDelete
  2. ARUNSeptember 29, 2013 at 11:37 PM

    your most welcome... :)

    ReplyDelete
  3. ieasheracetteJune 18, 2022 at 10:16 PM

    The bettor - The bettor - the road to success
    At 카지노사이트 the time of writing we'd been thinking of betting shops near the 토토카지노사이트 casino, located less than a mile from The Grand Victoria. 2022.6.19

    ReplyDelete

Subscribe to: Post Comments (Atom)