Cisco PIX 525 Especificaciones Pagina 141
- Pagina / 604
- Tabla de contenidos
- SOLUCIÓN DE PROBLEMAS
- MARCADORES
Valorado. / 5. Basado en revisión del cliente
11-9
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 11 Configuring Failover
Understanding Failover
Active/Active Failover
This section describes Active/Active failover. This section includes the following topics:
• Active/Active Failover Overview, page 11-9
• Primary/Secondary Status and Active/Standby Status, page 11-9
• Device Initialization and Configuration Synchronization, page 11-10
• Command Replication, page 11-10
• Failover Triggers, page 11-11
• Failover Actions, page 11-11
Active/Active Failover Overview
Active/Active failover is only available to security appliances in multiple context mode. In an
Active/Active failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover groups.
A failover group is simply a logical group of one or more security contexts. You can create a maximum
of two failover groups on the security appliance. The admin context is always a member of failover
group 1, and any unassigned security contexts are also members of failover group 1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring,
failover, and active/standby status are all attributes of a failover group, rather than the unit. When an
active failover group fails, it changes to the standby state while the standby failover group becomes
active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the
interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby
state take over the standby MAC and IP addresses.
Note A failover group failing on a unit does not mean that the unit has failed. The unit may still have another
failover group passing traffic on it.
When creating the failover groups, you should create them on the unit that will have failover group 1 in
the active state.
Note Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you
have more than one Active/Active failover pair on the same network, it is possible to have the same
default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of
the other pairs because of the way the default virtual MAC addresses are determined. To avoid having
duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active
and standby MAC address.
Primary/Secondary Status and Active/Standby Status
As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit,
and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate
which unit becomes active when both units start simultaneously. Instead, the primary/secondary
designation determines which unit provides the running configuration to the pair and on which unit each
failover group appears in the active state when both start simultaneously.
- Configuration Guide 1
- CONTENTS 3
- 2 Getting Started 2-1 4
- 9 Configuring IPv6 9-1 6
- 11 Configuring Failover 11-1 7
- 2 Configuring the Firewall 9
- 14 Applying NAT 14-1 10
- Contents 11
- OL-6721-01 11
- 20 Applying QoS Policies 20-1 13
- 3 Configuring VPN 16
- 4 System Administration 19
- B Sample Configurations B-1 21
- About This Guide 23
- Related Documentation 24
- Document Organization 24
- Part 3: Configuring VPN 25
- Document Conventions 26
- Obtaining Documentation 27
- Documentation Feedback 27
- Submitting a Service Request 28
- Firewall Functional Overview 33
- Security Policy Overview 34
- Stateful Inspection Overview 36
- VPN Functional Overview 37
- Security Context Overview 37
- Security Context Overview 38
- Getting Started 39
- Saving Configuration Changes 41
- Viewing the Configuration 41
- Interface.” 43
- Unsupported Features 46
- Context Configuration Files 46
- Shared Interface Guidelines 51
- Cascading Security Contexts 53
- Restoring Single Context Mode 55
- Configuring Ethernet Settings 57
- Configuring Subinterfaces 58
- Configuring Subinterfaces 60
- Removing a Security Context 65
- Changing the Admin Context 65
- Reloading a Security Context 67
- Monitoring Security Contexts 68
- Viewing Resource Usage 69
- Security Level Overview 71
- Configuring the Interface 72
- Security Level 74
- Configuring Basic Settings 77
- Setting the Hostname 78
- Setting the Domain Name 78
- Setting the Date and Time 78
- Configuring a Static Route 84
- Configuring OSPF 85
- OSPF Overview 86
- Enabling OSPF 87
- Adding a Route Map 88
- Configuring OSPF NSSA 93
- Generating a Default Route 95
- Monitoring OSPF 97
- Restarting the OSPF Process 97
- Configuring RIP 98
- Configuring Multicast Routing 99
- Enabling Multicast Routing 100
- Configuring IGMP Features 100
- Configuring Group Membership 101
- Changing the IGMP Version 103
- Configuring PIM Features 104
- Configuring DHCP 106
- Configuring DHCP Options 108
- Configuring the DHCP Client 110
- Configuring IPv6 111
- Configuring IPv6 Access Lists 114
- The show ipv6 route Command 116
- IPv6 Configuration Example 117
- AAA Overview 119
- About Authentication 120
- About Authorization 120
- About Accounting 120
- Summary of Support 121
- RADIUS Server Support 122
- TACACS+ Server Support 123
- SDI Server Support 124
- NT Server Support 125
- Kerberos Server Support 125
- LDAP Server Support 126
- Local Database Support 126
- Fallback Support 127
- Configuring Failover 133
- Failover System Requirements 134
- The Failover and State Links 135
- State Link 136
- Active/Standby Failover 137
- Understanding Failover 138
- Command Replication 139
- Failover Triggers 140
- Failover Actions 140
- Active/Active Failover 141
- Regular and Stateful Failover 145
- Failover Health Monitoring 146
- Prerequisites 148
- Configuring the Primary Unit 150
- Configuring Failover Criteria 154
- Configure the Primary Unit 157
- Configure the Secondary Unit 159
- Figure 11-1 ASR Example 163
- Configuring Failover 164
- Show Failover—Active/Active 169
- Viewing Monitored Interfaces 173
- Forcing Failover 174
- Disabling Failover 175
- Monitoring Failover 175
- Debug Messages 176
- Configuring the Firewall 185
- Firewall Mode Overview 187
- IP Routing Support 188
- Network Address Translation 188
- Routed Mode Overview 189
- Figure 12-2 Inside to Outside 190
- Transparent Mode Overview 194
- Transparent Firewall Features 195
- Transparent Mode Overview 196
- Access List Overview 203
- Access List Types and Uses 204
- Access List Overview 206
- VPN Access (Extended) 207
- Access List Guidelines 208
- Access Control Implicit Deny 209
- Adding a Standard Access List 215
- Adding Object Groups 216
- Adding a Network Object Group 217
- Adding a Service Object Group 217
- Nesting Object Groups 219
- Displaying Object Groups 221
- Removing Object Groups 221
- Time Range Options 222
- Logging Access List Activity 222
- Access List Logging Overview 223
- access_list_name 224
- Managing Deny Flows 225
- Applying NAT 227
- Introduction to NAT 228
- NAT Control 229
- Chapter 14 Applying NAT 230
- NAT Overview 230
- NAT Types 231
- Static NAT 233
- Static PAT 233
- Figure 14-7 Static PAT 234
- Policy NAT 235
- Mapped Address Guidelines 239
- DNS and NAT 240
- Configuring NAT Control 241
- Using Dynamic NAT and PAT 242
- Global 2: 209.165.201.11 245
- NAT 2: 192.168.1.0/24 245
- Figure 14-19 Dynamic NAT 248
- Figure 14-20 Dynamic PAT 248
- Using Static NAT 251
- Using Static PAT 252
- Bypassing NAT 255
- 209.165.201.1 209.165.201.1 256
- Inside Outside 256
- 209.165.201.2 209.165.201.2 256
- Security 256
- Appliance 256
- Configuring NAT Exemption 257
- NAT Examples 258
- Overlapping Networks 259
- Redirecting Ports 260
- NAT Examples 262
- AAA Performance 269
- Authentication Overview 270
- Applying Filtering Services 281
- Filtering ActiveX Objects 282
- Filtering Java Applets 283
- Filtering Overview 284
- General Procedure 285
- Filtering HTTP URLs 287
- Filtering HTTPS URLs 288
- Filtering FTP Requests 289
- Viewing Caching Statistics 291
- Overview 293
- Class Map Example 296
- Policy Map Procedure 297
- Policy Map Examples 298
- Restrictions 299
- Action Order 301
- Advanced Options 302
- Types of Direction Policies 303
- Implicit Direction Policies 303
- Examples 303
- Service Policy and NAT 306
- Configuring TCP Normalization 310
- Preventing IP Spoofing 311
- Configuring the Fragment Size 313
- Blocking Unwanted Connections 313
- Applying QoS Policies 315
- QoS Concepts 316
- Identifying Traffic for QoS 317
- Classifying Traffic for QoS 318
- Defining a QoS Policy Map 320
- Applying Rate Limiting 320
- Verifying QoS Statistics 322
- Activating the Service Policy 323
- Applying Low Latency Queueing 323
- Configuring Priority Queuing 324
- Sizing the Priority Queue 324
- Reducing Queue Latency 324
- Viewing QoS Statistics 325
- How Inspection Engines Work 328
- Supported Protocols 329
- Managing CTIQBE Inspection 336
- Managing FTP Inspection 340
- Configuring FTP Inspection 341
- Managing GTP Inspection 345
- Managing H.323 Inspection 350
- Limitations and Restrictions 351
- Monitoring H.225 Sessions 354
- Monitoring H.245 Sessions 355
- Monitoring H.323 RAS Sessions 355
- Managing HTTP Inspection 356
- Managing MGCP Inspection 359
- MGCP Inspection Overview 360
- Managing MGCP Inspection 361
- Managing RTSP Inspection 365
- RTSP Inspection Overview 366
- Using RealPlayer 366
- Restrictions and Limitations 367
- Managing SIP Inspection 369
- SCCP Inspection Overview 373
- Supporting Cisco IP Phones 374
- Managing SNMP Inspection 379
- SNMP Inspection Overview 380
- Parameters 383
- Adding a Static ARP Entry 384
- Enabling ARP Inspection 384
- MAC Address Table Overview 385
- Adding a Static MAC Address 385
- Viewing the MAC Address Table 386
- Configuring VPN 387
- Configuring IPSec and ISAKMP 389
- IPSec Overview 390
- Configuring ISAKMP 390
- ISAKMP Overview 391
- Configuring ISAKMP Policies 392
- Enabling IPSec over NAT-T 395
- Enabling IPSec over TCP 395
- Configuring IPSec 399
- Understanding Transform Sets 400
- Defining Crypto Maps 400
- Using Interface Access Lists 401
- Configuring IPSec 402
- Changing IPSec SA Lifetimes 403
- Using Dynamic Crypto Maps 406
- Configuring Client Update 412
- Configuring Client Update 414
- • Group Policies, page 25-10 415
- Tunnel Groups 416
- IPSec Connection Parameters 417
- Configuring Tunnel Groups 418
- Group Policies 424
- Default Group Policy 425
- Configuring Group Policies 426
- ACL name 428
- Configuring Users 440
- Configuring Specific Users 441
- Configuring User Attributes 442
- Configuring Users 446
- Configuring AAA Addressing 448
- Configuring DHCP Addressing 449
- Summary of the Configuration 451
- Configuring Interfaces 452
- Outside Interface 453
- Configuring an Address Pool 454
- Adding a User 454
- Creating a Transform Set 454
- Defining a Tunnel Group 455
- Step 4 Save your changes 456
- Step 3 Save your changes 456
- Configuring LAN-to-LAN VPNs 459
- Configuring an ACL 462
- Step 2 Save your changes 465
- Configuring Certificates 467
- Certificate Scalability 468
- About Key Pairs 468
- About Trustpoints 469
- About CRLs 469
- Certificate Configuration 470
- Configuring Key Pairs 471
- Configuring Trustpoints 472
- Obtaining Certificates 474
- [ certificate data omitted ] 476
- [ PKCS12 data omitted ] 480
- System Administration 483
- Managing System Access 485
- Allowing SSH Access 486
- Using an SSH Client 487
- Changing the Login Password 487
- Recovering from a Lockout 499
- Configuring a Login Banner 500
- Configurations 501
- Entering a New Activation Key 502
- Installation Overview 502
- Viewing Files in Flash Memory 502
- Backing Up the Configuration 506
- Using System Log Messages 509
- Using SNMP 509
- Enabling SNMP 511
- Testing Your Configuration 512
- Performing Password Recovery 517
- Other Troubleshooting Tools 519
- Common Problems 520
- Supported Platforms 523
- Platform Feature Licenses 523
- Platform Feature Licenses 524
- VPN Specifications 526
- Cryptographic Standards 527
- VPN Specifications 528
- Sample Configurations 529
- Figure B-2 Example 2 534
- Figure B-3 Example 3 536
- APPENDIX 545
- Command Modes and Prompts 546
- Syntax Formatting 547
- Abbreviating Commands 547
- Command-Line Editing 547
- Command Completion 547
- Command Help 548
- Filtering show Command Output 548
- Command Output Paging 549
- Adding Comments 549
- Text Configuration Files 550
- Line Order 551
- Passwords 551
- Text Configuration Files 552
- Private Networks 554
- Subnet Masks 554
- Determining the Subnet Mask 555
- Class C-Size Network Address 556
- Class B-Size Network Address 556
- IPv6 Addresses 557
- IPv6 Address Types 558
- Global Address 559
- Site-Local Address 559
- Link-Local Address 559
- Unspecified Address 560
- Loopback Address 560
- Interface Identifiers 560
- Multicast Address 560
- Anycast Address 561
- IPv6 Address Prefixes 562
- Protocols and Applications 563
- TCP and UDP Ports 564
- TCP and UDP Ports 565
- Local Ports and Protocols 566
- ICMP Types 567
- ICMP Types 568
- Numerics 569
- Glossary 570
© 2020, manymanuals.es. Todos los derechos reservados | 0.023 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales