Zone-Based Policy Firewall High Availability

Today I’m going to present how to implement a high availability for ZBPF. Below you can see the scenario I work on:

zbpf-ha-2.jpg

As you see I have two routers (R1 and R2) which now operates separately. From R4 we can reach R5 via R1 and R2:

R4#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      4.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        4.4.4.0/24 is directly connected, FastEthernet0/0
L        4.4.4.4/32 is directly connected, FastEthernet0/0
R     5.0.0.0/8 [120/1] via 4.4.4.2, 00:00:25, FastEthernet0/0
                [120/1] via 4.4.4.1, 00:00:10, FastEthernet0/0
R4#

I already implemented basic ZBPF:

zone security OUTSIDE
zone security INSIDE
!
zone-pair security OUT->IN source OUTSIDE destination INSIDE
 service-policy type inspect TCP-PM
!
zone-pair security IN->OUT source INSIDE destination OUTSIDE
 service-policy type inspect TCP-PM
!
!
interface FastEthernet0/0
 zone-member security OUTSIDE
!
interface FastEthernet0/1
 zone-member security INSIDE
!

and inspection of tcp sessions:

class-map type inspect match-all TCP-CM
 match protocol tcp
!
policy-map type inspect TCP-PM
 class type inspect TCP-CM
  inspect
 class class-default
  drop log
!

Let’s test it before I move on:

1) R4 start a telnet session towards R5

R4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open


User Access Verification

Password:
R5>

and on R1 I see this session:

R1#sh policy-map type inspect zone-pair sessions

policy exists on zp OUT->IN
  Zone-pair: OUT->IN

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)
      Match: protocol tcp

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 69131440 (4.4.4.4:25950)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB
          Created 00:00:37, Last heard 00:00:35
          Bytes sent (initiator:responder) [31:71]


    Class-map: class-default (match-any)
      Match: any
      Drop
        68 packets, 1984 bytes

policy exists on zp IN->OUT
  Zone-pair: IN->OUT

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)
      Match: protocol tcp

   Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
R1#

Now it’s time to add the redundancy feature:

!
parameter-map type inspect global
 redundancy
 log dropped-packets enable
!
redundancy
 application redundancy
  group 1
   name RG1
   preempt
   priority 200              <----- on r1 leave the default value 100
   control GigabitEthernet0/0.10 protocol 1
   data GigabitEthernet0/0.10
! 

Now I add the outside interface to the redundancy with a virtual IP:

interface GigabitEthernet0/0
 redundancy rii 1 decrement 50

I need additional interface for internal communication between peers:

interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.0

When I configure gig0/0.10 interfaces on both switches I can see how the HA status is negotiated:

R1#sh redundancy application group 1
Group ID:1
Group Name:RG1

Administrative State: No Shutdown
Aggregate operational state : Up
My Role: ACTIVE
Peer Role: UNKNOWN
Peer Presence: Yes
Peer Comm: No
Peer Progression Started: No

RF Domain: btob-one
         RF state: ACTIVE
         Peer RF state: DISABLED

R1#



*Jan 10 02:20:01.551: %RG_VP-6-BULK_SYNC_DONE: RG group 1 BULK SYNC to standby complete.
*Jan 10 02:20:01.555: %RG_VP-6-STANDBY_READY: RG group 1 Standby router is in SSO state



R1#sh redundancy application group 1
Group ID:1
Group Name:RG1

Administrative State: No Shutdown
Aggregate operational state : Up
My Role: ACTIVE
Peer Role: STANDBY
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes

RF Domain: btob-one
         RF state: ACTIVE
         Peer RF state: STANDBY HOT

R1#


R2#
*Jan 10 01:50:18.363: %RG_PROTOCOL-5-ROLECHANGE: RG id 1 role change from Active to Init
R2#
*Jan 10 01:50:28.363: %RG_PROTOCOL-5-ROLECHANGE: RG id 1 role change from Init to Standby
R2#
R2#sh redundancy application group 1
Group ID:1
Group Name:RG1

Administrative State: No Shutdown
Aggregate operational state : Up
My Role: STANDBY
Peer Role: ACTIVE
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes

RF Domain: btob-one
         RF state: STANDBY HOT
         Peer RF state: ACTIVE

R2#

And last one - the inside interface with a virtual IP:

interface GigabitEthernet0/1
 redundancy rii 2 decrement 50

Let’s test it once again:

r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open


User Access Verification

Password: 
r5>

on R1 I see:

R1#sh policy-map type inspect zone-pair sessions 

policy exists on zp OUT->IN
  Zone-pair: OUT->IN 

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)  
      Match: protocol tcp

   Inspect

      Number of Established Sessions = 2
      Established Sessions
        Session 31300C20 (4.4.4.4:27690)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:39:21, Last heard 00:29:07
          Bytes sent (initiator:responder) [37:80]
          HA State: ACTIVE, RG ID: 1
        Session 31301320 (4.4.4.4:48870)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB 
          Created 00:00:54, Last heard 00:00:50
          Bytes sent (initiator:responder) [45:86]
          HA State: ACTIVE, RG ID: 1


    Class-map: class-default (match-any)  
      Match: any 
      Drop
        2 packets, 16 bytes

and on R2:

R2#sh policy-map type inspect zone-pair sessions 

policy exists on zp OUT->IN
  Zone-pair: OUT->IN 

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)  
      Match: protocol tcp

   Inspect

      Number of Established Sessions = 2
      Established Sessions
        Session 2CC8B220 (4.4.4.4:27690)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:31:38, Last heard never
          Bytes sent (initiator:responder) [0:0]
          HA State: STANDBY, RG ID: 1
        Session 2CC8B920 (4.4.4.4:48870)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB 
          Created 00:01:54, Last heard never
          Bytes sent (initiator:responder) [0:0]
          HA State: STANDBY, RG ID: 1


    Class-map: class-default (match-any)  
      Match: any 
      Drop
        3 packets, 24 bytes

As you see above next to session entry you see what is the HA state: ‘ACTIVE’ or ‘STANDBY’. In some cases you can find that routing protocol prefers path via the standby box. You can set the priority for redundancy to be sure which one of your routers is preferable.

 
9
Kudos
 
9
Kudos

Now read this

L2 security – DHCP Snooping.

One of the security features that protect DHCP is DHCP Snooping. The main reasons to implement it: Protect the network against rogue DHCP servers Limit number of requests sent by DHCP clients Let’s test DHCP process on below case without... Continue →