Zone-Based Policy Firewall High Availability
Today I’m going to present how to implement a high availability for ZBPF. Below you can see the scenario I work on:
As you see I have two routers (R1 and R2) which now operates separately. From R4 we can reach R5 via R1 and R2:
R4#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
4.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 4.4.4.0/24 is directly connected, FastEthernet0/0
L 4.4.4.4/32 is directly connected, FastEthernet0/0
R 5.0.0.0/8 [120/1] via 4.4.4.2, 00:00:25, FastEthernet0/0
[120/1] via 4.4.4.1, 00:00:10, FastEthernet0/0
R4#
I already implemented basic ZBPF:
zone security OUTSIDE
zone security INSIDE
!
zone-pair security OUT->IN source OUTSIDE destination INSIDE
service-policy type inspect TCP-PM
!
zone-pair security IN->OUT source INSIDE destination OUTSIDE
service-policy type inspect TCP-PM
!
!
interface FastEthernet0/0
zone-member security OUTSIDE
!
interface FastEthernet0/1
zone-member security INSIDE
!
and inspection of tcp sessions:
class-map type inspect match-all TCP-CM
match protocol tcp
!
policy-map type inspect TCP-PM
class type inspect TCP-CM
inspect
class class-default
drop log
!
Let’s test it before I move on:
1) R4 start a telnet session towards R5
R4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Password:
R5>
and on R1 I see this session:
R1#sh policy-map type inspect zone-pair sessions
policy exists on zp OUT->IN
Zone-pair: OUT->IN
Service-policy inspect : TCP-PM
Class-map: TCP-CM (match-all)
Match: protocol tcp
Inspect
Number of Established Sessions = 1
Established Sessions
Session 69131440 (4.4.4.4:25950)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:37, Last heard 00:00:35
Bytes sent (initiator:responder) [31:71]
Class-map: class-default (match-any)
Match: any
Drop
68 packets, 1984 bytes
policy exists on zp IN->OUT
Zone-pair: IN->OUT
Service-policy inspect : TCP-PM
Class-map: TCP-CM (match-all)
Match: protocol tcp
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
R1#
Now it’s time to add the redundancy feature:
!
parameter-map type inspect global
redundancy
log dropped-packets enable
!
redundancy
application redundancy
group 1
name RG1
preempt
priority 200 <----- on r1 leave the default value 100
control GigabitEthernet0/0.10 protocol 1
data GigabitEthernet0/0.10
!
Now I add the outside interface to the redundancy with a virtual IP:
interface GigabitEthernet0/0
redundancy rii 1 decrement 50
I need additional interface for internal communication between peers:
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
When I configure gig0/0.10 interfaces on both switches I can see how the HA status is negotiated:
R1#sh redundancy application group 1
Group ID:1
Group Name:RG1
Administrative State: No Shutdown
Aggregate operational state : Up
My Role: ACTIVE
Peer Role: UNKNOWN
Peer Presence: Yes
Peer Comm: No
Peer Progression Started: No
RF Domain: btob-one
RF state: ACTIVE
Peer RF state: DISABLED
R1#
*Jan 10 02:20:01.551: %RG_VP-6-BULK_SYNC_DONE: RG group 1 BULK SYNC to standby complete.
*Jan 10 02:20:01.555: %RG_VP-6-STANDBY_READY: RG group 1 Standby router is in SSO state
R1#sh redundancy application group 1
Group ID:1
Group Name:RG1
Administrative State: No Shutdown
Aggregate operational state : Up
My Role: ACTIVE
Peer Role: STANDBY
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes
RF Domain: btob-one
RF state: ACTIVE
Peer RF state: STANDBY HOT
R1#
R2#
*Jan 10 01:50:18.363: %RG_PROTOCOL-5-ROLECHANGE: RG id 1 role change from Active to Init
R2#
*Jan 10 01:50:28.363: %RG_PROTOCOL-5-ROLECHANGE: RG id 1 role change from Init to Standby
R2#
R2#sh redundancy application group 1
Group ID:1
Group Name:RG1
Administrative State: No Shutdown
Aggregate operational state : Up
My Role: STANDBY
Peer Role: ACTIVE
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes
RF Domain: btob-one
RF state: STANDBY HOT
Peer RF state: ACTIVE
R2#
And last one - the inside interface with a virtual IP:
interface GigabitEthernet0/1
redundancy rii 2 decrement 50
Let’s test it once again:
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Password:
r5>
on R1 I see:
R1#sh policy-map type inspect zone-pair sessions
policy exists on zp OUT->IN
Zone-pair: OUT->IN
Service-policy inspect : TCP-PM
Class-map: TCP-CM (match-all)
Match: protocol tcp
Inspect
Number of Established Sessions = 2
Established Sessions
Session 31300C20 (4.4.4.4:27690)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:39:21, Last heard 00:29:07
Bytes sent (initiator:responder) [37:80]
HA State: ACTIVE, RG ID: 1
Session 31301320 (4.4.4.4:48870)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:54, Last heard 00:00:50
Bytes sent (initiator:responder) [45:86]
HA State: ACTIVE, RG ID: 1
Class-map: class-default (match-any)
Match: any
Drop
2 packets, 16 bytes
and on R2:
R2#sh policy-map type inspect zone-pair sessions
policy exists on zp OUT->IN
Zone-pair: OUT->IN
Service-policy inspect : TCP-PM
Class-map: TCP-CM (match-all)
Match: protocol tcp
Inspect
Number of Established Sessions = 2
Established Sessions
Session 2CC8B220 (4.4.4.4:27690)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:31:38, Last heard never
Bytes sent (initiator:responder) [0:0]
HA State: STANDBY, RG ID: 1
Session 2CC8B920 (4.4.4.4:48870)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:01:54, Last heard never
Bytes sent (initiator:responder) [0:0]
HA State: STANDBY, RG ID: 1
Class-map: class-default (match-any)
Match: any
Drop
3 packets, 24 bytes
As you see above next to session entry you see what is the HA state: ‘ACTIVE’ or ‘STANDBY’. In some cases you can find that routing protocol prefers path via the standby box. You can set the priority for redundancy to be sure which one of your routers is preferable.
9
Kudos
9
Kudos