Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
Configuring Firewall Stateful Interchassis Redundancy
Downloads: This chapterpdf (PDF - 1.56MB) The complete bookPDF (PDF - 6.81MB) | The complete bookePub (ePub - 1.35MB) | Feedback

Configuring Firewall Stateful Interchassis Redundancy

Contents

Configuring Firewall Stateful Interchassis Redundancy

The Firewall Stateful Interchassis Redundancy feature enables you to configure pairs of routers to act as backup for each other. This feature can be configured to determine the active router based on a number of failover conditions. When a failover occurs, the standby router seamlessly takes over and starts performing traffic forwarding services and maintaining a dynamic routing table.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Firewall Stateful Interchassis Redundancy

  • The interfaces attached to the firewall must have the same redundant interface identifier (RII).
  • The active device and the standby device must have the same Cisco IOS XE Zone-Based Firewall configuration.
  • The active device and the standby device must run on an identical version of the Cisco IOS XE software. The active device and the standby device must be connected through a switch.
  • Embedded Service Processor (ESP) must match on both active and standby devices.

Restrictions for Firewall Stateful Interchassis Redundancy

  • Multiprotocol Label Switching (MPLS) is not supported.
  • LAN and WAN scenarios are not supported.
  • LAN and MESH scenarios are not supported.
  • Cisco ASR 1006 and Cisco ASR 1013 platforms with dual Embedded Services Processors (ESPs) or dual Route Processors (RPs) in the chassis are not supported, because coexistence of interbox high availability (HA) and intrabox HA is not supported. Cisco ASR 1006 and Cisco ASR 1013 platforms with single ESP and single RP in the chassis supports interchassis redundancy.
  • If the dual IOS daemon (IOSd) is configured, the device will not support the firewall Stateful Interchassis Redundancy configuration.

Information About Firewall Stateful Interchassis Redundancy

How Firewall Stateful Inter-Chassis Redundancy Works

You can configure pairs of routers to act as hot standbys for each other. This redundancy is configured on an interface basis. Pairs of redundant interfaces are known as redundancy groups. The figure below depicts the active-standby device scenario. It shows how the redundancy group is configured for a pair of routers that has one outgoing interface. The Redundancy Group Configuration--Two Outgoing Interfaces figure depicts the active-active device scenario shows how two redundancy groups are configured for a pair of routers that have two outgoing interfaces.

Note that in both cases, the redundant routers are joined by a configurable control link and a data synchronization link. The control link is used to communicate the status of the routers. The data synchronization link is used to transfer stateful information from Network Address Translation (NAT) and the firewall and to synchronize the stateful database for these applications.

Also, in both cases, the pairs of redundant interfaces are configured with the same unique ID number known as the RII.



Figure 1. Redundancy Group Configuration--Two Outgoing Interfaces

The status of redundancy group members is determined through the use of hello messages sent over the control link. If either of the routers does not respond to a hello message within a configurable amount of time, it is considered that a failure has occurred, and a switchover is initiated. To detect a failure in milliseconds, the control links run the failover protocol integrated with the Bidirectional Forwarding Detection (BFD) protocol. You can configure the following parameters for the hello messages:

  • Active timer
  • Standby timer
  • Hellotime--The interval at which hello messages are sent
  • Holdtime--The amount of time before the active or the standby router is declared to be down

The hellotime defaults to 3 seconds to align with Hot Standby Router Protocol (HSRP), and the holdtime defaults to 10 seconds. You can also configure these timers in milliseconds by using the timers hellotime msec command.

To determine which pairs of interfaces are affected by the switchover, you must configure a unique ID number for each pair of redundant interfaces. This ID number is known as the RII associated with the interface.

A switchover to the standby router can also occur under other circumstances. Another factor that can cause a switchover is a priority setting that is configurable for each router. The router with the highest priority value will be the active router. If a fault occurs on either the active or the standby router, the priority of the router is decremented by a configurable amount known as the weight. If the priority of the active router falls below the priority of the standby router, a switchover occurs and the standby router becomes the active router. This default behavior can be overridden by disabling the preemption attribute for the redundancy group. You can also configure each interface to decrease the priority when the L1 state of the interface goes down. This amount overrides the default amount configured for the redundancy group.

Each failure event that causes a modification of a redundancy group’s priority generates a syslog entry that contains a time stamp, the redundancy group that was affected, previous priority, new priority, and a description of the failure event cause.

Another situation that will cause a switchover to occur is when the priority of a router or interface falls below a configurable threshold level.

In general, a switchover to the standby router occurs under the following circumstances:

  • Power loss or reload occurs on the active router (this includes crashes).
  • The run-time priority of the active router goes down below that of the standby router.
  • The run-time priority of the active router goes down below the configured threshold value.
  • The redundancy group on the active router is reloaded manually using the redundancy application reload group rg-number command.
  • Two consecutive hello messages missed on any monitored interface forces the interface into testing mode. When this occurs, both units first verify the link status on the interface and then execute the following tests:
    • Network activity test
    • ARP test
    • Broadcast ping test

In the Firewall Stateful Inter-Chassis Redundancy feature, the redundancy group traffic is routed through the virtual IP address that is associated with the ingress interface of the redundancy group. The traffic sent to the virtual IP address is received by the router that has the redundancy group in the active state. During a redundancy group failover, the traffic to the virtual IP address is automatically routed to the newly active redundancy group.

The firewall drops the traffic that arrives on the standby redundancy group in case the redundancy group traffic is routed through the physical IP address of a standby router and the traffic reaches the standby redundancy group. However, when the traffic arrives on the active redundancy group, the established TCP or UDP sessions are synchronized to the standby redundancy group.

Exclusive Virtual IP Addresses and Exclusive Virtual MAC Addresses

Virtual IP (VIP) addresses and virtual MAC (VMAC) addresses are used by security applications to control interfaces that receive traffic. An interface is paired with another interface, and these interfaces are associated with the same redundancy group (RG). The interface that is associated with an active RG exclusively owns the VIP and VMAC. The Address Resolution Protocol (ARP) process on the active device sends ARP replies for any ARP request for the VIP, and the Ethernet controller for the interface is programmed to receive packets destined for the VMAC. When an RG failover occurs, the ownership of the VIP and VMAC changes. The interface that is associated with the newly active RG sends a gratuitous ARP and programs the interface’s Ethernet controller to accept packets destined for the VMAC.

IPv6 Support

You can assign each redundancy group (RG) on a traffic interface for both IPv4 and IPv6 virtual IP (VIP) addresses under the same redundancy interface identifier (RII). Each RG uses a unique virtual MAC (VMAC) address per RII. For an RG, the IPv6 link-local VIP and global VIP coexist on an interface.

You can configure an IPv4 VIP, a link-local IPv6 VIP, and/or a global IPv6 VIP for each RG on a traffic interface. IPv6 link-local VIP is mainly used when configuring static or default routes, whereas IPv6 global VIP is widely used in both LAN and WAN topologies.

You must configure a physical IP address before configuring an IPv4 VIP.

Supported Topologies

The LAN-LAN topology is supported in the Firewall Stateful Inter-Chassis Redundancy architecture:


Note


Asymmetric routing is not supported.


LAN-LAN

The figure below shows the LAN-LAN topology. When a dedicated appliance-based firewall solution is used, traffic is often directed to the correct firewall by configuring static routing in the upstream or downstream routers to an appropriate virtual IP address. In addition, the Aggregation Services Routers (ASRs) will participate in dynamic routing with upstream or downstream routers. The dynamic routing configuration supported on LAN facing interfaces must not introduce a dependency on routing protocol convergence; otherwise, fast failover requirements will not be met.



For more information about the LAN-LAN configuration, see the section, Example Configuring LAN-LAN.

How to Configure Firewall Stateful Interchassis Redundancy

Configuring a Redundancy Application Group

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    redundancy

    4.    application redundancy

    5.    group id

    6.    name group-name

    7.    shutdown

    8.    priority value [failover threshold value]

    9.    preempt

    10.    track object-number {decrement value | shutdown}

    11.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 redundancy


    Example:
    Device(config)# redundancy
     

    Enters redundancy configuration mode.

     
    Step 4 application redundancy


    Example:
    Device(config-red)# application redundancy
     

    Enters redundancy application configuration mode.

     
    Step 5 group id


    Example:
    Device(config-red-app)# group 1
     

    Enters redundancy application group configuration mode.

     
    Step 6 name group-name


    Example:
    Device(config-red-app-grp)# name group1
     

    (Optional) Specifies an optional alias for the protocol instance.

     
    Step 7 shutdown


    Example:
    Device(config-red-app-grp)# shutdown
     

    (Optional) Shuts down a redundancy group manually.

     
    Step 8 priority value [failover threshold value]


    Example:
    Device(config-red-app-grp)# priority 100 failover threshold 50 
     

    (Optional) Specifies the initial priority and failover threshold for a redundancy group.

     
    Step 9 preempt


    Example:
    Device(config-red-app-grp)# preempt
     

    Enables preemption on the group and enables the standby device to preempt the active device regardless of the priority.

     
    Step 10 track object-number {decrement value | shutdown}


    Example:
    Device(config-red-app-grp)# track 200 decrement 200
     

    Specifies the priority value of a redundancy group that will be decremented if an event occurs.

     
    Step 11 end


    Example:
    Device(config-red-app-grp)# end
     

    Exits redundancy application group configuration mode and enters privileged EXEC mode.

     

    Configuring a Redundancy Group Protocol

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    redundancy

      4.    application redundancy

      5.    protocol id

      6.    name group-name

      7.    timers hellotime {seconds | msec milliseconds} holdtime {seconds | msec milliseconds}

      8.    authentication {text string | md5 key-string [0 | 7] key-string timeout seconds | key-chain key-chain-name}

      9.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 redundancy


      Example:
      Device(config)# redundancy
       

      Enters redundancy configuration mode.

       
      Step 4 application redundancy


      Example:
      Device(config-red)# application redundancy
       

      Enters redundancy application configuration mode.

       
      Step 5 protocol id


      Example:
      Device(config-red-app)# protocol 1
       

      Specifies the protocol instance that will be attached to a control interface and enters redundancy application protocol configuration mode.

       
      Step 6 name group-name


      Example:
      Device(config-red-app-prtcl)# name prot1
       

      (Optional) Configures the redundancy group (RG) with a name.

       
      Step 7 timers hellotime {seconds | msec milliseconds} holdtime {seconds | msec milliseconds}


      Example:
      Device(config-red-app-prtcl)# timers hellotime 3 holdtime 9
       

      Specifies the interval between when hello messages are sent and the time period before which a device is declared to be down.

       
      Step 8 authentication {text string | md5 key-string [0 | 7] key-string timeout seconds | key-chain key-chain-name}


      Example:
      Device(config-red-app-prtcl)# authentication md5 key-string 0 n1 timeout 100
       

      Specifies the authentication information.

       
      Step 9 end


      Example:
      Device(config-red-app-prtcl)# end
       

      Exits redundancy application protocol configuration mode and enters privileged EXEC mode.

       

      Configuring a Virtual IP Address and a Redundant Interface Identifier

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    interface type number

        4.    redundancy rii id

        5.    redundancy group id ip address exclusive [decrement value]

        6.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3 interface type number


        Example:
        Router(config)# interface GigabitEthernet 0/1/1 
         

        Specifies the interface name and number and enters interface configuration mode.

         
        Step 4 redundancy rii id


        Example:
        Router(config-if)# redundancy rii 600
         

        Configures the redundancy interface identifier for the redundancy group.

        • The range is from 1 to 65535.
         
        Step 5 redundancy group id ip address exclusive [decrement value]


        Example:
        Router(config-if)# redundancy group 1 ip 10.10.1.1 exclusive decrement 20
         

        Associates the interface with a redundancy group identified by the group idargument.

         
        Step 6 end


        Example:
        Router(config-if)# end
         

        Exits interface configuration mode and enters privileged EXEC mode.

         

        Configuring a Control Interface and a Data Interface

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    redundancy

          4.    application redundancy

          5.    group id

          6.    data interface-type interface-number

          7.    control interface-type interface-number protocol id

          8.    timers delay seconds [reload seconds]

          9.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 redundancy


          Example:
          Device(config)# redundancy
           

          Enters redundancy configuration mode.

           
          Step 4 application redundancy


          Example:
          Device(config-red)# application redundancy
           

          Enters redundancy application configuration mode.

           
          Step 5 group id


          Example:
          Device(config-red-app)# group 1
           

          Enters redundancy application group configuration mode.

           
          Step 6 data interface-type interface-number


          Example:
          Device(config-red-app-grp)# data GigabitEthernet 0/0/0 
           

          Specifies the data interface that is used by the redundancy group.

           
          Step 7 control interface-type interface-number protocol id


          Example:
          Device(config-red-app-grp)# control gigabitethernet 0/0/2 protocol 1
           
          Specifies the control interface that is used by the redundancy group.
          • This interface is also associated with an instance of the control interface protocol.
           
          Step 8 timers delay seconds [reload seconds]


          Example:
          Device(config-red-app-grp)# timers delay 100 reload 400 
           

          Specifies the time that a redundancy group will take to delay role negotiations that start after a fault occurs or the system is reloaded.

           
          Step 9 end


          Example:
          Device(config-red-app-grp)# end
           

          Exits redundancy application group configuration mode and enters privileged EXEC mode.

           

          Managing and Monitoring Firewall Stateful Inter-Chassis Redundancy

          Use the following commands to manage and monitor the Firewall Stateful Inter-Chassis Redundancy feature.

          SUMMARY STEPS

            1.    enable

            2.    debug redundancy application group config {all| error | event | func}

            3.    debug redundancy application group faults {all | error | event | fault | func}

            4.    debug redundancy application group media {all | error | event | nbr | packet{rx | tx} | timer}

            5.    debug redundancy application group protocol {all | detail | error | event | media | peer}

            6.    debug redundancy application group rii {error | event}

            7.    debug redundancy application group transport {db | error | event | packet | timer | trace}

            8.    debug redundancy application group vp {error | event}

            9.    show redundancy application group [group-id | all]

            10.    show redundancy application transport {client | group [group-id]}

            11.    show redundancy application control-interface group [group-id]

            12.    show redundancy application faults group [group-id]

            13.    show redundancy application protocol {protocol-id | group [group-id]

            14.    show redundancy application if-mgr group [group-id]

            15.    show redundancy application data-interface group [group-id]

            16.    end


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Router> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.
             
            Step 2 debug redundancy application group config {all| error | event | func}


            Example:
            Router# debug redundancy application group config all
             

            Displays the redundancy group application configuration.

             
            Step 3 debug redundancy application group faults {all | error | event | fault | func}


            Example:
            Router# debug redundancy application group faults error 
             

            Displays the redundancy group application fault.

             
            Step 4 debug redundancy application group media {all | error | event | nbr | packet{rx | tx} | timer}


            Example:
            Router# debug redundancy application group media timer 
             

            Displays the redundancy group application group media information.

             
            Step 5 debug redundancy application group protocol {all | detail | error | event | media | peer}


            Example:
            Router# debug redundancy application group protocol peer 
             

            Displays the redundancy group application group protocol information.

             
            Step 6 debug redundancy application group rii {error | event}


            Example:
            Router# debug redundancy application group rii event 
             

            Displays the redundancy group application group RII information.

             
            Step 7 debug redundancy application group transport {db | error | event | packet | timer | trace}


            Example:
            Router# debug redundancy application group transport trace 
             

            Displays the redundancy group application group transport information.

             
            Step 8 debug redundancy application group vp {error | event}


            Example:
            Router# debug redundancy application group vp event 
             

            Displays the redundancy group application group VP information.

             
            Step 9 show redundancy application group [group-id | all]


            Example:
            Router# show redundancy application group all
             

            Displays the redundancy group information.

             
            Step 10 show redundancy application transport {client | group [group-id]}


            Example:
            Router# show redundancy application transport group 1
             

            Displays transport specific information for a redundancy group.

             
            Step 11 show redundancy application control-interface group [group-id]


            Example:
            Router# show redundancy application control-interface group 2 
             

            Displays control interface information for a redundancy group.

             
            Step 12 show redundancy application faults group [group-id]


            Example:
            Router# show redundancy application faults group 2
             

            Displays fault-specific information for a redundancy group.

             
            Step 13 show redundancy application protocol {protocol-id | group [group-id]


            Example:
            Router# show redundancy application protocol 3 
             

            Displays protocol specific information for a redundancy group.

             
            Step 14 show redundancy application if-mgr group [group-id]


            Example:
            Router# show redundancy application if-mgr group 2 
             

            Displays interface manager information for a redundancy group.

             
            Step 15 show redundancy application data-interface group [group-id]


            Example:
            Router# show redundancy application data-interface group 1 
             

            Displays data interface specific information.

             
            Step 16 end


            Example:
            Router# end
             

            Exits the current configuration mode and returns to privileged EXEC mode.

             

            Configuration Examples for Firewall Stateful Interchassis Redundancy

            Example: Configuring a Redundancy Application Group

            The following example shows how to configure a redundancy group named group1 with priority and preempt attributes:

            Device# configure terminal
            Device(config)# redundancy
            Device(config-red)# application redundancy
            Device(config-red-app)# group 1
            Device(config-red-app-grp)# name group1
            Device(config-red-app-grp)# priority 100 failover-threshold 50
            Device(config-red-app-grp)# preempt
            Device(config-red-app-grp)# track 200 decrement 200
            Device(config-red-app-grp)# end

            Example: Configuring a Redundancy Group Protocol

            The following example shows how to configure a redundancy group with timers set for hello time and hold time messages:

            Device# configure terminal
            Device(config)# redundancy
            Device(config-red)# application redundancy
            Device(config-red-app)# protocol 1
            Device(config-red-app-prtcl)# timers hellotime 3 holdtime 9
            Device(config-red-app-prtcl)# authentication md5 key-string 0 n1 timeout 100
            Device(config-red-app-prtcl)# bfd
            Device(config-red-app-prtcl)# end

            Example Configuring Virtual IP Address and Redundant Interface Identifier

            The following example shows how to configure the redundancy group virtual IP address for Gigabit Ethernet interface 0/0/0:

            Router# configure terminal
            Router(config)# interface GigabitEthernet0/1/1
            Router(conf-if)# redundancy rii 600
            Router(config-if)# redundancy group 2 ip 10.2.3.4 exclusive decrement 200
            Router(config)# redundancy
            Router(config-red-app-grp)# data GigabitEthernet0/0/0
            Router(config-red-app-grp)# control GigabitEthernet0/0/2 protocol 1
            

            Example: Configuring a Control Interface and a Data Interface

            Device# configure terminal
            Device(config-red)# application redundancy
            Device(config-red-app-grp)# group 1
            Device(config-red-app-grp)# data GigabitEthernet 0/0/0
            Device(config-red-app-grp)# control GigabitEthernet 0/0/2 protocol 1
            Device(config-red-app-grp)# timers delay 100 reload 400
            Device(config-red-app-grp)# end

            Example Configuring LAN-LAN

            The following is a sample LAN-LAN configuration that shows how a pair of ASR routers that have two outgoing interfaces are configured. In this example, GigabitEthernet0/1 is the ingress interface and GigabitEthernet0/2 is the egress interface. Both the interfaces are assigned to zones and a classmap is defined to describe traffic between zones. The interfaces are also configured for redundancy. The “inspect” action invokes the application-level gateway (ALG) to open a pinhole to allow traffic on other ports. An ALG pinhole is a port that is opened through an ALG to allow a particular application to gain controlled access to a protected network.

            ! Identifies and defines network zones
              zone security zone1
              zone security zone2
            !
            ! Assigns interfaces to zones
              interface GigabitEthernet0/1 
              zone-member security zone1
            interface GigabitEthernet0/2 
            zone-member security zone2
            !
            ! Defines class-maps to describes traffic between zones
              class-map type inspect match-any inter-zone-class-map
              match access-group 1 
              access-list 1 permit 10.1.1.1
            !
            ! Associates class-maps with policy-maps to define actions to be applied
              policy-map type inspect inter-zone-policy-map
              class type inspect inter-zone-class-map
              inspect
            !
            ! Sets zone pairs for any policy other than deny all and assign policy-maps to zone-pairs by defining service-policy
              zone-pair inter-zone source zone1 destination zone2
              service-policy type inspect inter-zone-policy-map
            !

            Additional References for Firewall Stateful Interchassis Redundancy

            Technical Assistance

            Description

            Link

            The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

            http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

            Feature Information for Firewall Stateful Interchassis Redundancy

            The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

            Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

            Table 1 Feature Information for Firewall Stateful Interchassis Redundancy

            Feature Name

            Releases

            Feature Information

            Firewall Stateful Interchassis Redundancy

            Cisco IOS XE Release 3.1(S)

            The Firewall Stateful Interchassis Redundancy feature enables you to configure paris of router to act a backups for each other.

            The following commands were introduced or modified: application redundancy, authentication, control, data, debug redundancy application group config, debug redundancy application group faults, debug redundancy application group media, debug redundancy application group protocol, debug redundancy application group rii, debug redundancy application group transport, debug redundancy application group vp, group, name, preempt, priority, protocol, redundancy rii, redundancy group, track, timers delay, timers hellotime, show redundancy application group, show redundancy application transport, show redundancy application control-interface, show redundancy application faults, show redundancy application protocol, show redundancy application if-mgr, show redundancy application data-interface.