Everyone knows that in some places, high reliability is required. Sometimes a single device will have a single point of failure. Therefore, two or more units need to be used together. For example, in a router, multiple devices can be configured to be used or used by protocols, such as HSRP, VRRP AND GLBP. Multi-group use, firewall is no exception, the principle of FO is not much to talk about here.If you are interested in this aspect, you can find out on the internet. ASA’s FO difficulty lies on the architecture and configuration is actually quite easy. Under normal circumstances, A/S mode which is a master-slave mode. Of course, it can also to do AA mode through the virtual wall. FO configuration has basic requirements. It is hardware, software or licensing needs to be exactly the same. CISCO has a special document if it’s not same, it will be an error.
Configure A/S/mode below
The device is the ASA5510
Main ASA:
Int ethernet0/0
No sh
int Ethernet0/1
no sh
int e0/2
Nosh
int e0/3
no sh
A# sh run I in failover
failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover polltime unit msec 500 holdtime 3
failover polltime interface 1 holdtime 5
failover key cisco
failover mac address Ethernet0/0 0018.1900.3000 0018.1900.3001
failover mac address Ethernet0/1 0018.1900.4000 0018.1900.4001
failover mac address Management0/0 0018.1900.6000 0018.1900.6001
failover link state Ethernet0/3
failover interface ip failover 192.168.1.1 255.255. 255.0 standby 192.168.1.2
failover interface ip state 192.168.100.1 255.255 255.0 standby 192.168.100.2
Back up of ASA configuration:
int Ethernet0/0
no sh
int Ethernet0/1
no sh
exit
A# sh run I in failover
failover
failover lan unit secondary
failover lan interface failover Ethernet0/2
failover polltime unit msec 500 holdtime 3
failover polltime interface 1 holdtime 5
failover key cisco
failover mac address Ethernet0/0 0018.1900.3000 0018.1900.3001
Failover mac address Ethernet0/1 0018.1900.4000 0018.1900.4001
failover mac address ManagementO/0 0018.1900.6000 0018.1900.6001
failover link state Ethernet0/3
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover interface ip state 192.168.100.1 255.255.255.0 standby 192.168.100.2
FA(config)# sh fa
Failover On
Failover unit Primary
Version: Ours 9.1(5), Mate 9.1(5)
Last Failover at: 00:54:51 UTC Jan 1 2003
This host: Primary - Active
Active time: 1387 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 4 (sec)
slot 0: ASA5510 hw/sw rev (.0/9.1() status (Up Sys)
slot 1: empty
As can be seen from the above, the FO configuration is successful and a master-lave mode is formed.
The above content must be known as a CCIE. If you still feel that the CCIE written exam and CCIE LAB exam are difficult to pass, then joinPASSHOT. We will let you more easily to pass the CCIE exam.
Comments