Table of Contents
Advertisement
Quick Links
7000 and 8000 Series Device High Availability
The following topics describe how to configure high availability for Firepower 7000 Series and 8000 Series
devices in the Firepower System:
•
•
•
•
•
•
•
•
•
•
•
•
About 7000 and 8000 Series Device High Availability
With 7000 and 8000 Series device high availability, you can establish redundancy of networking functionality
and configuration data between two peer devices or two peer device stacks.
You achieve configuration redundancy by configuring two peer devices or two peer device stacks into a
high-availability pair to act as a single logical system for policy deploys, system updates, and registration.
The system automatically synchronizes other configuration data.
Note
Static routes, non-SFRP IP addresses, and routing priorities are not synchronized between the peer devices
or peer device stacks. Each peer device or peer device stack maintains its own routing intelligence.
Related Topics
Establishing Device High Availability, on page 6
Editing Device High Availability, on page 7
Device High Availability State Sharing, on page 11
Separating Device High-Availability Pairs, on page 17
SFRP
Advanced Virtual Switch Settings
7000 and 8000 Series Device High Availability
1
Advertisement
Table of Contents
Related Manuals for Cisco FirePOWER 7000
Summary of Contents for Cisco FirePOWER 7000
-
Page 1: Table Of Contents
7000 and 8000 Series Device High Availability The following topics describe how to configure high availability for Firepower 7000 Series and 8000 Series devices in the Firepower System: • About 7000 and 8000 Series Device High Availability, on page 1 •... - Page 2 Caution Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an unsupported hard drive may damage the device. Malware storage pack kits are available for purchase only from Cisco, and are for use only with 8000 Series devices.
- Page 3 7000 and 8000 Series Device High Availability Configuration Deployment and Upgrade Behavior for High-Availability Pairs Automatic failover occurs after the health of the active device or stack becomes compromised, during a system update, or after a user with Administrator privileges shuts down the device. Automatic failover also occurs after an active device or device stack experiences NMSB failure, NFE failure, hardware failure, firmware failure, critical process failure, a disk full condition, or link failure between two stacked devices.
- Page 4 Note You can achieve Layer 3 redundancy without using device high availability by using the Cisco Redundancy Protocol (SFRP). SFRP allows devices to act as redundant gateways for specified IP addresses. With network redundancy, you configure two devices or stacks to provide identical network connections, ensuring connectivity for other hosts on the network.
- Page 5 Two devices connected to the same broadcast network receive traffic based on the topology calculated by STP. Note Cisco strongly recommends that you enable STP when configuring a virtual switch that you plan to deploy in a 7000 or 8000 Series device high-availability pair. Related Topics...
-
Page 6: Establishing Device High Availability
7000 and 8000 Series Device High Availability Establishing Device High Availability Related Topics SFRP Advanced Virtual Switch Settings Establishing Device High Availability Smart License Classic License Supported Devices Supported Domains Access Control 7000 & 8000 Series Admin/Network Admin Note This procedure describes establishing a 7000 & 8000 Series device high-availability pair. For information on establishing Firepower Threat Defense high availability, see Add a Firepower Threat Defense High Availability Pair. -
Page 7: Editing Device High Availability
7000 and 8000 Series Device High Availability Editing Device High Availability Editing Device High Availability Smart License Classic License Supported Devices Supported Domains Access Control 7000 & 8000 Series Leaf only Admin/Network Admin After you establish a 7000 or 8000 Series device high-availability pair, most changes you make to the device configuration also change the configuration of the whole high-availability pair. -
Page 8: Configuring Individual Device Stacks In A High-Availability Pair
7000 and 8000 Series Device High Availability Configuring Individual Device Stacks in a High-Availability Pair Step 5 Use the sections on the Devices page to make changes to the individual paired device as you would a single device. Configuring Individual Device Stacks in a High-Availability Pair Smart License Classic License Supported Devices... -
Page 9: Switching The Active Peer In A Device High-Availability Pair
7000 and 8000 Series Device High Availability Switching the Active Peer in a Device High-Availability Pair You can configure interfaces on individual devices in a 7000 or 8000 Series device high-availability pair. However, you must also configure an equivalent interface on the peer device in the pair. For paired stacks, you configure identical interfaces on the primary devices of the stacks. -
Page 10: Placing A High-Availability Peer Into Maintenance Mode
7000 and 8000 Series Device High Availability Placing a High-Availability Peer into Maintenance Mode Placing a High-Availability Peer into Maintenance Mode Smart License Classic License Supported Devices Supported Domains Access Control 7000 & 8000 Series Admin/Network Admin After you establish a 7000 or 8000 Series device high-availability pair, you can manually trigger failover by placing one of the peers into maintenance mode to perform maintenance on the devices. -
Page 11: Device High Availability State Sharing
7000 and 8000 Series Device High Availability Device High Availability State Sharing Procedure Step 1 Choose Devices > Device Management. Step 2 Next to the stack member you want to place into maintenance mode, click the toggle maintenance mode icon Step 3 Click Yes to confirm maintenance mode. - Page 12 7000 and 8000 Series Device High Availability Device High Availability State Sharing having to reestablish the connection, even if strict TCP enforcement is enabled. You can enable strict TCP enforcement on inline sets, virtual routers, and virtual switches. Unidirectional Access Control Rules If you have configured unidirectional access control rules, network traffic may match a different access control rule than intended when the system reevaluates a connection midstream after failover.
- Page 13 Decrease the state sharing values to improve paired peer readiness, or increase the values to allow better performance. Note Cisco recommends that you use the default values, unless your deployment presents a good reason to change them. Step 6 Click OK to save your changes.
-
Page 14: Device High Availability State Sharing Statistics For Troubleshooting
7000 and 8000 Series Device High Availability Device High Availability State Sharing Statistics for Troubleshooting Device High Availability State Sharing Statistics for Troubleshooting The sections below describe the statistics you can view for each device and how you can use them to troubleshoot your state sharing configuration for 7000 and 8000 Series device high-availability pairs. - Page 15 7000 and 8000 Series Device High Availability Device High Availability State Sharing Statistics for Troubleshooting Protocol Bytes Received Protocol bytes received are the number of bytes of protocol overhead received, which includes everything but the payload of session state synchronization messages. The value should be close to the number of bytes sent by the peer.
- Page 16 7000 and 8000 Series Device High Availability Viewing Device High Availability State Sharing Statistics Recent Logs The system log displays the most recent high availability synchronization messages. The log should not display any ERROR or WARN messages. It should remain comparable between the peers, such as the same number of sockets being connected.
-
Page 17: Separating Device High-Availability Pairs
7000 and 8000 Series Device High Availability Separating Device High-Availability Pairs Separating Device High-Availability Pairs Smart License Classic License Supported Devices Supported Domains Access Control 7000 & 8000 Series Admin/Network Admin When you separate, or "break," a 7000 or 8000 Series device high-availability pair: •... - Page 18 7000 and 8000 Series Device High Availability Separating Device High-Availability Pairs 7000 and 8000 Series Device High Availability...