Cisco FirePOWER 7000 Скачать руководство пользователя страница 11 | Manualshive

Страница: 11 / 18

background image

Procedure

Step 1

Choose

Devices

>

Device Management

.

Step 2

Next to the stack member you want to place into maintenance mode, click the toggle maintenance mode icon

(

).

Step 3

Click

Yes

to confirm maintenance mode.

Step 4

Click the replace device icon (

).

Step 5

Choose the

Replacement Device

from the drop-down list.

Step 6

Click

Replace

to replace the device.

Step 7

Click the toggle maintenance mode icon (

) again to bring the stack immediately out of maintenance mode.

You do not need to re-deploy the device configuration.

Note

Device High Availability State Sharing

Device high availability state sharing allows devices or stacks in high-availability pairs to synchronize as
much state as necessary, so that if either device or stack fails, the other peer can take over with no interruption
to traffic flow. Without state sharing, the following features may not fail over properly:

• Strict TCP enforcement

• Unidirectional access control rules

• Blocking persistence

Note, however, that enabling state sharing slows system performance.

You must configure and enable HA link interfaces on both devices or the primary stacked devices in the
high-availability pair before you can configure high availability state sharing. Firepower 82xx Family and
83xx Family devices require a 10G HA link, while other model devices require a 1G HA link.

You must disable state sharing before you can modify the HA link interfaces.

If paired devices fail over, the system terminates all existing SSL-encrypted sessions on the active device.
Even if you establish high availability state sharing, these sessions must be renegotiated on the standby device.
If the server establishing the SSL session supports session reuse and the standby device does not have the
SSL session ID, it cannot renegotiate the session.

Note

Strict TCP Enforcement

When you enable strict TCP enforcement for a domain, the system drops any packets that are out of order on
TCP sessions. For example, the system drops non-SYN packets received on an unestablished connection.
With state sharing, devices in the high-availability pair allow TCP sessions to continue after failover without

7000 and 8000 Series Device High Availability

11

7000 and 8000 Series Device High Availability

Device High Availability State Sharing

«
...
9
10
11
12
13
...
»

Содержание FirePOWER 7000

Страница 1: ...ility State Sharing on page 11 Device High Availability State Sharing Statistics for Troubleshooting on page 14 Separating Device High Availability Pairs on page 17 About 7000 and 8000 Series Device High Availability With 7000 and 8000 Series device high availability you can establish redundancy of networking functionality and configuration data between two peer devices or two peer device stacks Y...

Страница 2: ...r 8290 with another 8290 None one or all devices in either stack might have a malware storage pack Do not attempt to install a hard drive that was not supplied by Cisco in your device Installing an unsupported hard drive may damage the device Malware storage pack kits are available for purchase only from Cisco and are for use only with 8000 Series devices Contact Support if you require assistance ...

Страница 3: ...hanges to the members of a high availability pair at the same time Deploy either succeeds or fails for both peers The Firepower Management Center deploys to the active device if that succeeds then changes are deployed to the standby When you deploy resource demands may result in a small number of packets dropping without inspection Additionally deploying some configurations restarts the Snort proc...

Страница 4: ...ts Inline Deployment Redundancy Because an inline set has no control over the routing of the packets being passed through it it must always be active in a deployment Therefore redundancy relies on external systems to route traffic correctly You can configure redundant inline sets with or without 7000 or 8000 Series device high availability To deploy redundant inline sets you configure the network ...

Страница 5: ...pletes the high availability pair and sets it to a normal status After you establish a high availability pair the system treats the peer devices or stacks as a single device on the Device Management page Device high availability pairs display the High Availability icon in the appliance list Any configuration changes you make are synchronized between the paired devices The Device Management page di...

Страница 6: ...s in a high availability pair must belong to the same domain Before you begin Confirm that all requirements are met see Device High Availability Requirements on page 2 Procedure Step 1 Choose Devices Device Management Step 2 From the Add drop down menu choose Add High Availability Step 3 Enter a Name Step 4 Under Device Type choose Firepower Step 5 Assign roles for the devices or stacks a Choose t...

Страница 7: ...ns on the High Availability page to make changes to the high availability pair configuration as you would a single device configuration Configuring Individual Devices in a High Availability Pair Access Supported Domains Supported Devices Classic License Smart License Admin Network Admin Leaf only 7000 8000 Series Control N A After you establish a 7000 or 8000 Series device high availability pair y...

Страница 8: ... 8 Procedure Step 1 Choose Devices Device Management Step 2 Next to the device high availability pair where you want to edit the configuration click the edit icon In a multidomain deployment if you are not in a leaf domain the system prompts you to switch Step 3 Click the Stacks tab Step 4 From the Selected Device drop down list choose the stack you want to modify Step 5 Next to the General sectio...

Страница 9: ...modify Step 5 Configure interfaces as you would on an individual device Related Topics Virtual Router Configuration Switching the Active Peer in a Device High Availability Pair Access Supported Domains Supported Devices Classic License Smart License Admin Network Admin Any 7000 8000 Series Control N A After you establish a 7000 or 8000 Series device high availability pair you can manually switch t...

Страница 10: ...es Device Management Step 2 Next to the peer you want to place in maintenance mode click the toggle maintenance mode icon Step 3 Click Yes to confirm maintenance mode What to do next When maintenance is complete click the toggle maintenance mode icon again to bring the peer out of maintenance mode Replacing a Device in a Stack in a High Availability Pair Access Supported Domains Supported Devices ...

Страница 11: ...t configure and enable HA link interfaces on both devices or the primary stacked devices in the high availability pair before you can configure high availability state sharing Firepower 82xx Family and 83xx Family devices require a 10G HA link while other model devices require a 1G HA link You must disable state sharing before you can modify the HA link interfaces If paired devices fail over the s...

Страница 12: ...h state sharing the system immediately blocks the connection on the peer device or stack as well When establishing state sharing for a high availability pair you can configure the following options Enabled Click the check box to enable state sharing Clear the check box to disable state sharing Minimum Flow Lifetime Specify the minimum time in milliseconds for a session before the system sends any ...

Страница 13: ...avior for more information Caution Procedure Step 1 Configure HA link interfaces for each device in the device high availability pair see Configuring HA Link Interfaces Step 2 Choose Devices Device Management Step 3 Next to the device high availability pair you want to edit click the edit icon In a multidomain deployment if you are not in a leaf domain the system prompts you to switch Step 4 In th...

Страница 14: ...r of packets sent by the peer device During active use the values may not match but should be close Because the number of messages received should be close and incrementing at the same rate as the number of messages sent by the peer the number of packets received should have the same behavior For troubleshooting you should view both the packets received and the messages sent compare the rate of in...

Страница 15: ...ent to the peer This data are useful in comparison to the number of messages received During active use the values may not match but should be close The number of bytes received on the peer should be close to but not more than this value Contact Support if the total bytes received is not incrementing at about the same rate as the bytes sent Tx Errors Tx errors are the number of memory allocation f...

Страница 16: ...figuration in the State Sharing section of the High Availability page The HA link interface that is being used and its current link state Detailed synchronization statistics for troubleshooting issues The state sharing statistics are primarily counters for different aspects of the high availability synchronization traffic sent and received along with some other error counters In addition you can v...

Страница 17: ...rations active in which case the standby peer resumes normal operation The standby peer always loses the configuration of passive interfaces Any peer in maintenance mode resumes normal operation Procedure Step 1 Choose Devices Device Management Step 2 Next to the high availability pair you want to break click the Break HA icon Step 3 Optionally check the check box to remove the interface configura...

Страница 18: ...7000 and 8000 Series Device High Availability 18 7000 and 8000 Series Device High Availability Separating Device High Availability Pairs ...

Отзывы:

Нет отзывов

Похожие инструкции для FirePOWER 7000

Бренд: Watchguard Страницы: 20

Бренд: Nexcom Страницы: 71

Бренд: AlphaShield Страницы: 6

Бренд: BuildingLink Страницы: 20

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды