Cisco IOS Firewall Stateful Failover (CCIE Notes)


Stateful failover for the Cisco IOS firewall enables a router to continue processing and forwarding firewall session packets after a planned or unplanned outage occurs.

Stateful failover for the Cisco IOS firewall is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Routing Protocol (HSRP).

Prerequisites:

  • The Cisco IOS firewall configuration that is on the active device must be duplicated on the standby device. The configuration information between the active and standby device is NOT automatically transferred, and the user is responsible for ensuring that the configuration matches on both devices.
  • The devices must be running the same Cisco IOS software.
  • Both router should be the same type of device, have the same CPU and memory.

Restrictions:

  • Not supported with Zone-Based policy firewall configuration.
  • Asymmetric routing not supported, make sure to avoid it.
  • It does not support rate-limiting of firewall sessions on the standby router for failed over sessions.
  • Only Layer 4 TCP and UDP protocol failover is supported.
  • Layer 4 ICMP session will not be failed over to the standby router.

Stateful Failover Architecture:

  • State Synchronization:
    • Checks the state of the active/standby device.
    • Periodic updates are sent from the active to the standby for all HA sessions.
    • Updates for a session are sent every 10 seconds (Configurable).
  • Bulk Synchronization:
    • It happens when the device boots or when you use the clear ip inspect ha sessions all command on the standby device.
    • If standby device is configured after the active device already has sessions, only the new ha sessions established on the active device are synchronized to the standby device through dynamic synchronization. To synchronize all current active sessions from active to the standby, clear ip inspect ha sessions all command must be issued on the standby device.

Cisco Doc Link:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/15-mt/sec-cbac-fw-stateful-fail.html

Products > Cisco IOS > Cisco IOS Software Release 15M&T > Cisco IOS 15.2M&T > Configuration Guides > Security, Services, and VPN Securing the Data Plane Configuration Guide Library, Cisco IOS Release 15M&T > Context-Based Access Control Firewall (CBAC) > Cisco IOS Firewall Stateful Failover

Configuration:

Configuration for R1 (Active Unit):

! Enable HSRP
!
interface fa0/0
 ip add 10.1.1.1 255.255.255.0
 ip access-group in_acl in
 standby 1 ip 10.0.1.10
 standby 1 name HA-IN
 standby 1 priority 110
 standby 1 preempt
 standby 1 track 1 decrement 15
 no shut
 exit
!
track 1 interface fa0/1 line-protocol
!
! Enabling SSO
!
redundancy inter-device
 scheme standby HA-IN
 exit
!
ipc zone default
 association 1
  no shutdown
  protocol sctp
   local-port 1200
    local-ip 10.1.1.1
    retransmit-timeout 300 10000
    path-timeout 10 (default 4)
    assoc-timeout 10 (default 4)
    exit
   remote-port 1200
    remote-ip 10.1.1.2
    exit
   exit
  exit
 exit
!
! Enable Stateful Failover
!
interface fa0/0
 ip inspect inspec_rule_name in redundancy stateful [hsrp-group-name]
!

Configuration for R2 (Standby Unit):

! Enable HSRP
!
interface fa0/0
 ip add 10.1.1.2 255.255.255.0
 ip access-group in_acl in
 standby 1 ip 10.0.1.10
 standby 1 name HA-IN
 standby 1 priority 100
 standby 1 track 1 decrement 15
 no shut
 exit
!
track 1 interface fa0/1 line-protocol
!
! Enable SSO
!
redundancy inter-device
 scheme standby HA-IN
 exit
!
ipc zone default
 association 1
  no shutdown
  protocol sctp
   local-port 1200
    local-ip 10.1.1.2
    retransmit-timeout 300 10000
    path-timeout 10 (default 4)
    assoc-timeout 10 (default 4)
    exit
   remote-port 1200
    remote-ip 10.1.1.1
    exit
   exit
  exit
 exit
!
! Enable Stateful Failover
!
interface fa0/0  ip inspect inspec_rule_name in redundancy stateful [hsrp-group-name]
!

Additional commands to tune the stateful firewall settings:

! Configure the HA update interval (default 10)
!
ip inspect redundancy update seconds [10-60]
!
! Maintaining the Firewall Stateful Failover.
! If the below command is run on the standby unit,
! it forces a bulk sync.
!
clear ip inspect ha [sessions-all | statistics]

Verification:

show ip inspect ha {sessions [detail] | statistics} 
show redundancy inter-device
show redundancy states
show standby brief
debug standby terse
debug redundancy inter-device

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s