Use Case: Configure Active/Active HA with Floating IP Address
Bound to Active-Primary Firewall
In mission-critical data centers, you may
want both Layer 3 HA firewalls to participate in path monitoring
so that they can detect path failures upstream from both firewalls.
Additionally, you prefer to control if and when the floating IP
address returns to the recovered firewall after it comes back up,
rather than the floating IP address returning to the device ID to
which it is bound. (That default behavior is described in Floating
IP Address and Virtual MAC Address.)
In this use case,
you control when the floating IP address and therefore the active-primary
role move back to a recovered HA peer. The active/active HA firewalls
share a single floating IP address that you bind to whichever firewall
is in the active-primary state. With only one floating IP address,
network traffic flows predominantly to a single firewall, so this
active/active deployment functions like an active/passive deployment.
In
this use case, Cisco Nexus 7010 switches with virtual PortChannels
(vPCs) operating in Layer 3 connect to the firewalls. You must configure
the Layer 3 switches (router peers) north and south of the firewalls
with a route preference to the floating IP address. That is, you
must design your network so the route tables of the router peers
have the best path to the floating IP address. This example uses
static routes with the proper metrics so that the route to the floating
IP address uses a lower metric (the route to the floating IP address
is preferred) and receives the traffic. An alternative to using
static routes would be to design the network to redistribute the
floating IP address into the OSPF routing protocol (if you are using
OSPF).
The following topology illustrates the floating IP
address bound to the active-primary firewall, which is initially
Peer A, the firewall on the left.
Upon a
failover, when the active-primary firewall (Peer A) goes down and
the active-secondary firewall (Peer B) takes over as the active-primary
peer, the floating IP address moves to Peer B (shown in the following
figure). Peer B remains the active-primary firewall and traffic
continues to go to Peer B, even when Peer A recovers and
becomes the active-secondary firewall. You decide if and when to
make Peer A the active-primary firewall again.
Binding
the floating IP address to the active-primary firewall provides
you with more control over how the firewalls determine floating
IP address ownership as they move between various HA
Firewall States. The following advantages result:
You
can have an active/active HA configuration for path monitoring out
of both firewalls, but have the firewalls function like an active/passive
HA configuration because traffic directed to the floating IP address
always goes to the active-primary firewall.
When
you disable preemption on both firewalls, you have the following
additional benefits:
The floating IP address does
not move back and forth between HA firewalls if the active-secondary
firewall flaps up and down.
You can review the functionality of the recovered firewall
and the adjacent components before manually directing traffic to
it again, which you can do at a convenient down time.
You have control over which firewall owns the floating IP
address so that you keep all flows of new and existing sessions
on the active-primary firewall, thereby minimizing traffic on the
HA3 link.
We strongly
recommended you configure HA link monitoring on the interface(s)
that support the floating IP address(es) to allow each HA peer to
quickly detect a link failure and fail over to its peer. Both HA
peers must have link monitoring for it to function.
We strongly recommend you configure HA path monitoring to notify
each HA peer when a path has failed so a firewall can fail over
to its peer. Because the floating IP address is always bound to
the active-primary firewall, the firewall cannot automatically fail
over to the peer when a path goes down and path monitoring is not
enabled.
You cannot configure NAT for a
floating IP address that is bound to an active-primary firewall.
. The
firewall that is in active-primary state is the session owner.
Alternatively, for
Session Owner Selection
you
can select
First Packet
and then for
Session
Setup
, select
Primary Device
or
First
Packet
.
For
Session Setup
, select
Primary
Device
—The active-primary firewall sets up all sessions.
This is the recommended setting if you want your active/active configuration
to behave like an active/passive configuration because it keeps
all activity on the active-primary firewall.
You must also engineer your network to eliminate
the possibility of asymmetric traffic going to the HA pair. If you
don’t do so and traffic goes to the active-secondary firewall, setting
Session
Owner Selection
and
Session Setup
to
Primary
Device
causes the traffic to traverse HA3 to get to
the active-primary firewall for session ownership and session setup.
Click
OK
.
Configure an HA virtual address.
Select
Device
High Availability
Active/Active
Config
Virtual Address
and
click
Add
.
Enter or select an
Interface
.
Select the
IPv4
or
IPv6
tab
and
Add
an
IPv4 Address
or
IPv6 Address
.
For
Type
, select
Floating
,
which configures the virtual IP address to be a floating IP address.
Click
OK
.
Bind the floating IP address to the active-primary firewall.
Select
Floating IP bound to the
Active-Primary device
.
Select
Failover address if link state is
down
to cause the firewall to use the failover address
when the link state on the interface is down.