Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.7 - Configuring High Availability on the Virtual Firewall [Cisco IOS XR Software]

Table Of Contents

Configuring High Availability on the Virtual Firewall

Contents

Information About VFW High Availability

How to Configure HA on Cisco IOS XR

Configuring a Firewall Context for HA

Configuring the Admin Context for Each MSB

Configuring the Management Interface for the Admin Context on Each MSB

How to Configure HA Using the VFW Application

Configuring the Fault-Tolerant Interface

Prerequisites

Configuring the Fault-Tolerant Peer

Prerequisites

Configuring the Fault-Tolerant Group

Prerequisites

Troubleshooting Tips

Configuration Examples for HA

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Configuring High Availability on the Virtual Firewall

This module describes how to configure redundant multiservice blade (MSB) modules to provide high availability (HA) capability for the VFW feature.

Feature History for Configuring High Availability on the VFW Application

Release

Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.

Contents

•Information About VFW High Availability

•How to Configure HA on Cisco IOS XR

•How to Configure HA Using the VFW Application

•Configuration Examples for HA

•Additional References

Information About VFW High Availability

The VFW feature includes HA capability in the event of an MSB failure (see Figure 14). An active context on one MSB is protected by a standby context on a different MSB. A stateful failover includes configuration and connection synchronization, and the standby context is always ready to assume the active role.

An MSB failover can be triggered by:

•A service location configuration change in the Cisco IOS XR software

•An anomaly detected by one of the MSBs (such as a Linux process crash)

•Heartbeat loss (such as a hardware failure)

•An auto-revert process that makes the preferred active node operational

To implement a VFW with HA capability, you must:

1. Configure a firewall context, two Admin contexts (one for each MSB), and a management interface for each MSB using Cisco IOS XR software.

2. Configure HA on both MSBs using the Admin context in the VFW application.

3. Configure the firewall context in the VFW application.

Figure 14 High Availability

How to Configure HA on Cisco IOS XR

You must use Cisco IOS XR software to configure a firewall context, an Admin context for each MSB, and an HA management interface for each MSB. Refer to the following sections:

•Configuring a Firewall Context for HA

•Configuring the Admin Context for Each MSB

•Configuring the Management Interface for the Admin Context on Each MSB

Configuring a Firewall Context for HA

This task describes how to configure a firewall context for HA.

Note This task is performed from the Cisco IOS XR software.

SUMMARY STEPS

1. configure

2. firewall context-name

3. service-location preferred-active node-id [preferred-standby node-id [auto-revert] [failure-action [drop | bypass | shutdown]]]

4. default-interface-name vfw-interface-name

5. end
or
commit

6. show services [redundancy]

DETAILED STEPS
Command or Action

Purpose

Step 1

configure
Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2

firewall context-name
Example:

RP/0/0/CPU0:router(config)# firewall ctx1

Specifies the name of a firewall context. The context-name must match the one on the VFW application.

Step 3

service-location preferred-active node-id [preferred-standby node-id [auto-revert]
Example:

RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/2/0 preferred-standby 0/3/0 auto-reverts

Specifies both active and standby locations for the interface.

•Use the preferred-active keyword to specify that the card in this location serves all traffic going through the interface. The node-id argument is expressed in rack/slot/module notation.

•(Optional) Use the preferred-standby keyword to specify that if a card fails, the interface is served by the card in this location. The node-id argument is expressed in rack/slot/module notation.

•(Optional) Use the auto-revert keyword to automatically revert to the preferred active location.

Step 4

failure-action [drop | bypass | shutdown]
Example:

RP/0/0/CPU0:router(config-firewall)# failure-action bypass

(Optional) Specifies the failure action if there is a problem with the firewall attachment. Use the failure-action command to override the default failure policy.

If there is a problem with the firewall attachment, the default (drop) behavior automatically drops all packets that should be diverted. All IPv4 unicast and broadcast packets are dropped, but multicast or packets that are not IPv4 packets are processed normally.

•(Optional) Use the bypass keyword to specify that if a firewall attachment has a problem, all packets are to pass through without firewall protection.

•(Optional) Use the shutdown keyword to specify that if a firewall attachment has a problem, the interface is shut down. All the hello or keepalive packets are dropped, and the interface is not used (if possible).

Step 5

default-interface-name vfw-interface-name
Example:

RP/0/0/CPU0:router(config-firewall)# default-interface-name ctx_other

Use the default-interface-name keyword to specify the default interface name for the firewall. The vfw-interface-name must match the interface name in the VFW application.
Step 6

end
or

commit
Example:

RP/0/0/CPU0:router(config-firewall)# end
or

RP/0/0/CPU0:router(config-firewall)# commit
Saves configuration changes.

•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Step 7

show services [redundancy]
Example:

RP/0/0/CPU0:router# show services redundancy

Inspects the status of the firewall. If the output does not display the status as Active, the firewall is not operational. Refer to the "Troubleshooting Tips" section for additional information.
Configuring the Admin Context for Each MSB

This task describes how to configure the Admin context for each MSB.

Note This task is performed from the Cisco IOS XR software.

SUMMARY STEPS

1. configure

2. firewall context-name

3. service-location preferred-active node-id

4. default-interface-name vfw-interface-name

5. end
or
commit

DETAILED STEPS
Command or Action

Purpose

Step 1

configure
Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2

firewall context-name
Example:

RP/0/0/CPU0:router(config)# firewall Admin1

Specifies the name of an Admin context. The context-name must include Admin (with the uppercase A) and match the one on the VFW application (for example, Admin1, Admin2, and so on).

Step 3

service-location preferred-active node-id
Example:

RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/3/0

Specifies both active and standby locations for the interface and provides a failure policy.

•Use the preferred-active keyword to specify that the card in this location serves all traffic going through the interface. The node-id argument is expressed in rack/slot/module notation.

Step 4

default-interface-name vfw-interface-name
Example:

RP/0/0/CPU0:router(config-firewall)# default-interface-name outside

Use the default-interface-name command to specify the default interface name for the firewall. The vfw-interface-name must match the interface name in the VFW application.
Step 5

end
or

commit
Example:

RP/0/0/CPU0:router(config-firewall)# end
or

RP/0/0/CPU0:router(config-firewall)# commit
Saves configuration changes.

•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Configuring the Management Interface for the Admin Context on Each MSB

This task describes how to configure the management interface for the Admin context on each MSB.

Note This task is performed from the Cisco IOS XR software.

SUMMARY STEPS

1. configure

2. interface FirewallManagement number

3. ipv4 address ip-address

4. firewall context-name follow-active

5. end
or
commit

DETAILED STEPS
Command or Action

Purpose

Step 1

configure
Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2

interface FirewallManagement number
Example:

RP/0/0/CPU0:router(config)# interface firewallmanagement252

Specifies the interface.

Step 3

ipv4 address ip-address
Example:

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.3 255.255.255.0

Specifies the IPv4 address of the interface. It must be a different IP address, but from the same subnet as the IP address configured for the fault-tolerant (FT) interface on the VFW application.

Step 4

firewall context-name follow-active
Example:

RP/0/0/CPU0:router(config-if)# firewall Admin2 follow-active

Specifies the name of an Admin context and that the interface should be attached to the active instance of the firewall.

This interface is used for the configuration and status synchronization between the active and standby contexts.

Note The context-name must match the one on the VFW application.
Step 5

end
or

commit
Example:

RP/0/0/CPU0:router(config-if)# end
or

RP/0/0/CPU0:router(config-if)# commit
Saves configuration changes.

•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
How to Configure HA Using the VFW Application

You must use the VFW application to configure HA on both MSBs in the Admin context and to also configure the firewall context. Refer to the following sections:

•Configuring the Fault-Tolerant Interface

•Configuring the Fault-Tolerant Peer

•Configuring the Fault-Tolerant Group

To configure the firewall context, see the "Configuring Firewall Contexts" section on page VFC-20.

Note HA does not function properly unless a default interface is configured for both Admin contexts in Cisco IOS XR software (see the "Configuring the Admin Context for Each MSB" section) and in the VFW application. The "Configuring Firewall Contexts" section on page VFC-20 includes information about configuring default interfaces on the VFW application.

Configuring the Fault-Tolerant Interface

This task describes how to configure the fault-tolerant interface. You must configure one fault-tolerant interface for each MSB.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. configure

2. ft interface name

3. ip address ip-address

4. peer ip address ip-address

5. no shutdown

DETAILED STEPS

Command or Action

Purpose

Step 1

configure
Example:

firewall/Admin# configure

Enters configuration mode on the VFW application.

Step 2

ft interface name
Example:

firewall/Admin(config)# ft interface ha

Specifies the HA interface.

Step 3

ip address ip-address
Example:

firewall/Admin(config-ft-intf)# ip address 10.1.2.2 255.255.255.0

Specifies the IP address of the interface. It must be a different IP address, but from the same subnet as the IP address configured for the firewall management interface of this Admin context on the Cisco IOS XR software.

Step 4

peer ip address ip-address
Example:

firewall/Admin(config-ft-intf)# peer ip address 10.1.1.1 255.255.255.0

Provides the peer IP address of the FT interface on the other MSB in the redundant pair.

Step 5

no shutdown
Example:

firewall/Admin(config-ft-intf)# no shutdown

Activates the FT interface.

Configuring the Fault-Tolerant Peer

This task describes how to configure the fault-tolerant peer. You must configure one fault-tolerant peer for each MSB.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. configure

2. ft peer peer-id

3. ft-interface name

4. heartbeat interval number

5. heartbeat count number

DETAILED STEPS

Command or Action

Purpose

Step 1

configure
Example:

firewall/Admin# configure

Enters configuration mode on the VFW application

Step 2

ft peer peer-id
Example:

firewall/Admin(config)# ft peer 1

Configures the fault-tolerant peer.

Step 3

ft-interface name
Example:

firewall/Admin(config-ft-peer)# ft-interface ha

Specifies the HA interface.

Step 4

heartbeat interval number
Example:

firewall/Admin(config-ft-peer)# heartbeat interval 100

Specifies the heartbeat interval. Frequency is in milliseconds (10-1000).

Step 5

heartbeat count number
Example:

firewall/Admin(config-ft-peer)# heartbeat count 10

Specifies the heartbeat count (5-50). Default is 10.

Configuring the Fault-Tolerant Group

This task describes how to configure the fault-tolerant group. You must configure multiple fault-tolerant groups—one for each redundant context.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section on page VFC-14.

SUMMARY STEPS

1. configure

2. ft group group-id

3. peer peer-id

4. associate-context context_name

5. inservice

DETAILED STEPS

Command or Action

Purpose

Step 1

configure
Example:

firewall/Admin# configure

Enters configuration mode on the VFW application.

Step 2

ft group group-id
Example:

firewall/Admin(config)# ft group 1

Configures a fault-tolerant group.

Step 3

peer peer-id
Example:

firewall/Admin(config-ft-group)# peer 1

Specifies the failure detection time parameters that are configured for the associated fault tolerant peer.

Step 4

associate-context context_name
Example:

firewall/Admin(config-ft-group)# associate-context ctx1

Associates a context with this group.

Step 5

inservice
Example:

firewall/Admin(config-ft-group)# inservice

Enables the fault tolerant group.

Troubleshooting Tips

After the VFW HA configuration is applied, there are several show commands you can use to validate the functionality. Use the show services redundancy command to verify that the firewall service is either in active or standby state. If the firewall status is displayed as Active in either the Preferred Active or Preferred Standby columns, then the firewall is operational.
RP/0/0/CPU0:router# show services redundancy
Service type     Name                    Pref. Active        Pref. Standby      
--------------------------------------------------------------------------------
Firewall         ctx1                    0/2/CPU0 Active     0/3/CPU0 Standby   
Firewall         Admin1                  0/3/CPU0 Active    
Firewall         Admin2                  0/2/CPU0 Active 
Note Cisco IOS XR software always reports the Admin contexts in the Active state (even if Admin context HA is configured). The HA relationships between Admins can be displayed only through the VFW application.

In the VFW application, there are several items to check in both MSBs.

Ensure that the fault-tolerant interface is up:
firewall/Admin# show interface ha 
ha is up
  IP address is 10.1.1.1 netmask is 255.255.255.0
  FT status is non-redundant
  Description:not set
  Last cleared: never
  Peer IP address is 10.1.2.2 Peer IP netmask is 255.255.255.0
     988 unicast packets input, 54199 bytes
     0 multicast, 0 broadcast
     0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
     349 unicast packets output, 15356 bytes
     0 multicast, 0 broadcast
     0 output errors, 0 ignored
Ensure that there are two UDP and one (bidirectional) TCP HA connections open:
firewall/Admin# show connection
total current connections : 4
conn-id    dir prot interface   source             destination           state
----------+---+----+-----------+-------------------+---------+----------------+
--         -  -   --    --   --                    --                    --
1          out UDP  ha          10.1.2.2:50000     10.1.1.1:50002        --  
--         -  -   --    --   --                    --                    --
2          out UDP  ha          10.1.2.2:50300     10.1.1.1:50302        --  
3          in  TCP  ha          10.1.2.2:2000      10.1.1.1:32782        ESTAB
4          out TCP  ha          10.1.1.1:32782     10.1.2.2:2000         ESTAB
Ensure that the peer is up:
firewall/Admin# show ft peer summary 
Peer Id                      : 1
State                        : FSM_PEER_STATE_COMPATIBLE
Maintenance mode             : MAINT_MODE_OFF
FT Interface                 : ha
My IP Addr                   : 10.1.2.2
Peer IP Addr                 : 10.1.1.1
Query Interface              : Not Configured
Peer Query IP Addr           : 0.0.0.0
Heartbeat Interval           : 10
Heartbeat Count              : 10
SRG Compatibility            : COMPATIBLE
License Compatibility        : COMPATIBLE
FT Groups                    : 9
Check the status of any FT groups:
firewall/Admin# show ft group status
FT Group                     : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
Peer State                   : FSM_FT_STATE_STANDBY_HOT
Peer Id                      : 1
No. of Contexts              : 1
Note Ensure that this output and the output from the show service redundancy command are in agreement regarding their active and standby locations.

Configuration Examples for HA

The following example demonstrates how HA is configured for a single context (ctx1) with an active instance in slot1 and a standby in slot2. You must configure the failover on the Cisco IOS XR software and in the VFW application.

For the configuration on Cisco IOS XR software, you must set up a management interface for each MSB to ensure the synchronization channel between the MSBs. You should also configure the Admin context for HA to ensure that any admin configurations are configured for redundancy.

Note The configuration of Admin contexts on redundant MSBs must be identical, with the exception of the peer IP addresses that are crossed.
RP/0/0/CPU0:router(config)# firewall Admin1 
RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/3/CPU0 
RP/0/0/CPU0:router(config-firewall)# default-interface-name outside 
RP/0/0/CPU0:router(config-firewall)# exit 
RP/0/0/CPU0:router(config)# firewall Admin2 
RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/2/CPU0 
RP/0/0/CPU0:router(config-firewall)# default-interface-name outside 
RP/0/0/CPU0:router(config-firewall)# exit 
RP/0/0/CPU0:router(config)# interface FirewallManagement252 
RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.3 255.255.255.0 
RP/0/0/CPU0:router(config-if)# firewall Admin2 follow-active 
RP/0/0/CPU0:router(config-if)# exit 
RP/0/0/CPU0:router(config)# interface FirewallManagement253 
RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.1.2 255.255.255.0 
RP/0/0/CPU0:router(config-if)# firewall Admin1 follow-active 
RP/0/0/CPU0:router(config-if)# exit 
RP/0/0/CPU0:router(config)# firewall ctx1 
RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/2/CPU0 
preferred-standby 0/3/CPU0 auto-revert 
RP/0/0/CPU0:router(config-firewall)# default-interface-name ctx_other 
RP/0/0/CPU0:router(config-firewall)# exit 
RP/0/0/CPU0:router(config)# interface FirewallManagement1 
RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.10.2 255.255.255.0 
RP/0/0/CPU0:router(config-if)# firewall ctx1 follow-active 
RP/0/0/CPU0:router(config-if)# exit 
You must also configure the MSB slots in the VFW application. To access the VFW application, see the "Attaching to the VFW Application" section on page VFC-14.

After accessing the VFW application, configure the Admin security context in slot1:
firewall/Admin# configure 
firewall/Admin(config)# access-list all_in line 10 extended permit ip any any 
firewall/Admin(config)# interface outside 
firewall/Admin(config-if)# access-group input all_in 
firewall/Admin(config-if)# no shutdown 
firewall/Admin(config-if)# exit 
firewall/Admin(config)# ft interface ha 
firewall/Admin(config-if-intf)# ip address 10.1.2.2 255.255.255.0 
firewall/Admin(config-if-intf)# peer ip address 10.1.1.1 255.255.255.0 
firewall/Admin(config-if-intf)# no shutdown 
firewall/Admin(config-if-intf)# exit 
firewall/Admin(config)# ft peer 1 
firewall/Admin(config-ft-peer)# heartbeat interval 10 
firewall/Admin(config-ft-peer)# heartbeat count 10 
firewall/Admin(config-ft-peer)# ft-interface ha 
firewall/Admin(config-ft-peer)# exit 
firewall/Admin(config)# ft group 1 
firewall/Admin(config-ft-group)# peer 1 
firewall/Admin(config-ft-group)# associate-context admin 
firewall/Admin(config-ft-group)# inservice 
firewall/Admin(config-ft-group)# exit 
Then, configure the Admin context in slot2:
firewall/Admin(config)# access-list all_in line 10 extended permit ip any any 
firewall/Admin(config)# interface outside 
firewall/Admin(config-if)# access-group input all_in 
firewall/Admin(config-if)# access-group output all_out 
firewall/Admin(config-if)# no shutdown 
firewall/Admin(config-if)# exit 
firewall/Admin(config)# ft interface ha 
firewall/Admin(config-if-intf)# ip address 10.1.1.1 255.255.255.0 
firewall/Admin(config-if-intf)# peer ip address 10.1.2.2 255.255.255.0 
firewall/Admin(config-if-intf)# no shutdown 
firewall/Admin(config-if-intf)# exit 
firewall/Admin(config)# ft peer 1 
firewall/Admin(config-ft-peer)# heartbeat interval 10 
firewall/Admin(config-ft-peer)# heartbeat count 10 
firewall/Admin(config-ft-peer)# ft-interface ha 
firewall/Admin(config-ft-peer)# exit 
firewall/Admin(config)# ft group 251 
firewall/Admin(config-ft-group)# peer 1 
firewall/Admin(config-ft-group)# associate-context Admin 
firewall/Admin(config-ft-group)# inservice 
firewall/Admin(config-ft-group)# exit 
Then, add any additional Admin configurations:
firewall/Admin(config)# context ctx1 
firewall/Admin(config-context)# exit 
firewall/Admin(config)# ft group 1 
firewall/Admin(config-ft-group)# peer 1 
firewall/Admin(config-ft-group)# associate-context ctx1 
firewall/Admin(config-ft-group)# inservice 
firewall/Admin(config-ft-group)# exit 
firewall/Admin(config)# resource-class rclass1 
.
.
.
Note When the Admin context is configured for HA, all configurations performed on the Admin context are synchronized to the standby Admin context. If you do not configure the Admin context for HA (using the associate-context command in ft group configuration mode), you must repeat all admin configurations on the standby context. User contexts configured for HA have their configurations synchronized to the standby context, regardless of whether the Admin context is configured for HA.

Additional References

The following sections provide references related to high availability.

Related Documents

Related Topic

Document Title

Cisco IOS XR virtual firewall command syntax

"Virtual Firewall Commands on Cisco IOS XR Software" module in Cisco IOS XR Virtual Firewall Command Reference

Virtual firewall high availability command syntax

"High Availability Commands on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Command Reference

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

—

MIBs

MIBs

MIBs Link

—

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

—

Technical Assistance

Description

Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport