Cisco FirePOWER 7000, FirePOWER 8000 User Manual
7000 and 8000 Series Device High Availability
The following topics describe how to configure high availability for Firepower 7000 Series and 8000 Series
devices in the Firepower System:
• About 7000 and 8000 Series Device High Availability, on page 1
• Establishing Device High Availability, on page 6
• Editing Device High Availability, on page 7
• Configuring Individual Devices in a High-Availability Pair, on page 7
• Configuring Individual Device Stacks in a High-Availability Pair, on page 8
• Configuring Interfaces on a Device in a High-Availability Pair, on page 8
• Switching the Active Peer in a Device High-Availability Pair, on page 9
• Placing a High-Availability Peer into Maintenance Mode, on page 10
• Replacing a Device in a Stack in a High-Availability Pair, on page 10
• Device High Availability State Sharing, on page 11
• Device High Availability State Sharing Statistics for Troubleshooting, on page 14
• Separating Device High-Availability Pairs, on page 17
About 7000 and 8000 Series Device High Availability
With 7000 and 8000 Series device high availability, you can establish redundancy of networking functionality
and configuration data between two peer devices or two peer device stacks.
You achieve configuration redundancy by configuring two peer devices or two peer device stacks into a
high-availability pair to act as a single logical system for policy deploys, system updates, and registration.
The system automatically synchronizes other configuration data.
Note
Static routes, non-SFRP IP addresses, and routing priorities are not synchronized between the peer devices
or peer device stacks. Each peer device or peer device stack maintains its own routing intelligence.
Related Topics
SFRP
Advanced Virtual Switch Settings
7000 and 8000 Series Device High Availability
1
Device High Availability Requirements
Device High Availability Requirements
Before you can configure a 7000 and 8000 Series device high-availability pair, the following must be true:
• You can only pair single devices with single devices or device stacks with device stacks.
• Both devices or device stacks must have normal health status, be running the same software, and have
the same licenses. See Using the Health Monitor for more information. In particular, the devices cannot
have hardware failures that would cause them to enter maintenance mode and trigger a failover.
Note
After you pair the devices, you cannot change the license options for individual
paired devices, but you can change the license for the entire high-availability
pair.
• Interfaces must be configured on each device or each primary device in a stack.
• Both devices or the primary members of the device stacks must be the same model and have identical
copper or fiber interfaces.
7000 and 8000 Series Device High Availability
• Device stacks must have identical hardware configurations, except for an installed malware storage pack.
For example, you can pair a Firepower 8290 with another 8290. None, one, or all devices in either stack
might have a malware storage pack.
Caution
• If the devices are targeted by NAT policies, both peers must have the same NAT policy.
• In a multidomain deployment, you can only establish 7000 or 8000 Series device high-availability or
device stacks within a leaf domain.
Note
After failover and recovery, SFRP preempts to the master node.
Related Topics
SFRP
Advanced Virtual Switch Settings
Do not attempt to install a hard drive that was not supplied by Cisco in your
device. Installing an unsupported hard drive may damage the device. Malware
storage pack kits are available for purchase only from Cisco, and are for use only
with 8000 Series devices. Contact Support if you require assistance with the
malware storage pack. See the Firepower System Malware Storage Pack Guide
for more information.
Device High Availability Failover and Maintenance Mode
With a 7000 and 8000 Series device high availability, the system fails over either manually or automatically.
You manually trigger failover by placing one of the paired devices or stacks in maintenance mode.
7000 and 8000 Series Device High Availability
2
7000 and 8000 Series Device High Availability
Automatic failover occurs after the health of the active device or stack becomes compromised, during a system
update, or after a user with Administrator privileges shuts down the device. Automatic failover also occurs
after an active device or device stack experiences NMSB failure, NFE failure, hardware failure, firmware
failure, critical process failure, a disk full condition, or link failure between two stacked devices. If the health
of the standby device or stack becomes similarly compromised, the system does not fail over and enters a
degraded state. The system also does not fail over when one of the devices or device stacks is in maintenance
mode. Note that disconnecting the stacking cable from an active stack sends that stack into maintenance mode.
Shutting down the secondary device in an active stack also sends that stack into maintenance mode.
Note
If the active member of the high-availability pair goes into maintenance mode and the active role fails over
to the other pair member, when the original active pair member is restored to normal operation it does not
automatically reclaim the active role.
Related Topics
SFRP
Advanced Virtual Switch Settings
Configuration Deployment and Upgrade Behavior for High-Availability Pairs
Configuration Deployment and Upgrade Behavior for High-Availability Pairs
This topic describes upgrade and deployment behavior for 7000 and 8000 Series devices (and stacks) in high
availability pairs.
Behavior During Deploy
You deploy configuration changes to the members of a high availability pair at the same time. Deploy either
succeeds or fails for both peers. The Firepower Management Center deploys to the active device; if that
succeeds then changes are deployed to the standby.
Caution
When you deploy, resource demands may result in a small number of packets dropping without inspection.
Additionally, deploying some configurations restarts the Snort process, which interrupts traffic inspection.
Whether traffic drops during this interruption or passes without further inspection depends on how the target
device handles traffic. See Snort®Restart Traffic Behavior and Configurations that Restart the Snort Process
When Deployed or Activated.
Behavior During Upgrade
You should not experience interruptions in traffic flow or inspection while upgrading devices (or device
stacks) in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devices
operate in maintenance mode while they upgrade.
Which peer upgrades first depends on your deployment:
• Routed or switched—Standby upgrades first. The devices switch roles, then the new standby upgrades.
When the upgrade completes, the devices' roles remain switched. If you want to preserve the active/standby
roles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.
• Access control only— Active upgrades first. When the upgrade completes, the active and standby maintain
their old roles.
7000 and 8000 Series Device High Availability
3
Deployment Types and Device High Availability
Related Topics
SFRP
Advanced Virtual Switch Settings
Deployment Types and Device High Availability
You determine how to configure 7000 or 8000 Series device high availability depending on your Firepower
System deployment: passive, inline, routed, or switched. You can also deploy your system in multiple roles
at once. Of the four deployment types, only passive deployments require that you configure devices or stacks
using high availability to provide redundancy. You can establish network redundancy for the other deployment
types with or without device high availability. For a brief overview on high availability in each deployment
type, see the sections below.
Note
You can achieve Layer 3 redundancy without using device high availability by using the Cisco Redundancy
Protocol (SFRP). SFRP allows devices to act as redundant gateways for specified IP addresses. With network
redundancy, you configure two devices or stacks to provide identical network connections, ensuring connectivity
for other hosts on the network.
7000 and 8000 Series Device High Availability
Passive Deployment Redundancy
Passive interfaces are generally connected to tap ports on central switches, which allows them to analyze all
of the traffic flowing across the switch. If multiple devices are connected to the same tap feed, the system
generates events from each of the devices. When configured in a high-availability pair, devices act as either
active or standby, which allows the system to analyze traffic even in the event of a system failure while also
preventing duplicate events.
Inline Deployment Redundancy
Because an inline set has no control over the routing of the packets being passed through it, it must always
be active in a deployment. Therefore, redundancy relies on external systems to route traffic correctly. You
can configure redundant inline sets with or without 7000 or 8000 Series device high availability.
To deploy redundant inline sets, you configure the network topology so that it allows traffic to pass through
only one of the inline sets while preventing circular routing. If one of the inline sets fails, the surrounding
network infrastructure detects the loss of connectivity to the gateway address and adjusts the routes to send
traffic through the redundant set.
Routed Deployment Redundancy
Hosts in an IP network must use a well-known gateway address to send traffic to different networks. Establishing
redundancy in a routed deployment requires that routed interfaces share the gateway addresses so that only
one interface handles traffic for that address at any given time. To accomplish this, you must maintain an
equal number of IP addresses on a virtual router. One interface advertises the address. If that interface goes
down, the standby interface begins advertising the address.
In devices that are not members of a high-availability pair, you use SFRP to establish redundancy by configuring
gateway IP addresses shared between multiple routed interfaces. You can configure SFRP with or without
7000 or 8000 Series device high availability. You can also establish redundancy using dynamic routing such
as OSPF or RIP.
7000 and 8000 Series Device High Availability
4
7000 and 8000 Series Device High Availability
Switched Deployment Redundancy
You establish redundancy in a switched deployment using the Spanning Tree Protocol (STP), one of the
advanced virtual switch settings. STP is a protocol that manages the topology of bridged networks. It is
specifically designed to allow redundant links to provide automatic standby for switched interfaces without
configuring standby links. Devices in a switched deployment rely on STP to manage traffic between redundant
interfaces. Two devices connected to the same broadcast network receive traffic based on the topology
calculated by STP.
Note
Cisco strongly recommends that you enable STP when configuring a virtual switch that you plan to deploy
in a 7000 or 8000 Series device high-availability pair.
Related Topics
SFRP
Advanced Virtual Switch Settings
Device High Availability Configuration
Device High Availability Configuration
When establishing 7000 or 8000 Series device high availability, you designate one of the devices or stacks
as active and the other as standby. The system applies a merged configuration to the paired devices. If there
is a conflict, the system applies the configuration from the device or stack you designated as active.
After you pair the devices, you cannot change the license options for individual paired devices, but you can
change the license for the entire high-availability pair. If there are interface attributes that need to be set on
switched interfaces or routed interfaces, the system establishes the high-availability pair, but sets it to a pending
status. After you configure the necessary attributes, the system completes the high-availability pair and sets
it to a normal status.
After you establish a high-availability pair, the system treats the peer devices or stacks as a single device on
the Device Management page. Device high-availability pairs display the High Availability icon ( ) in the
appliance list. Any configuration changes you make are synchronized between the paired devices. The Device
Management page displays which device or stack in the high-availability pair is active, which changes after
manual or automatic failover.
Removing registration of a device high-availability pair from a Firepower Management Center removes
registration from both devices or stacks. You remove a device high-availability pair from the Firepower
Management Center as you would an individual managed device.
You can then register the high-availability pair on another Firepower Management Center. To register single
devices from a high-availability pair, you add remote management to the active device in the pair and then
add that device to the Firepower Management Center, which adds the whole pair. To register stacked devices
in a high-availability pair, you add remote management to the primary device of the either stack and then add
that device to the Firepower Management Center, which adds the whole pair.
After you establish a device high-availability pair, you should configure a high-availability link interface.
Note
If you plan to set up dynamic NAT, HA state sharing, or VPN using the devices in the high-availability pair,
you must configure a high-availability link interface. For more information, see Configuring HA Link Interfaces.
7000 and 8000 Series Device High Availability
5
Establishing Device High Availability
Related Topics
SFRP
Advanced Virtual Switch Settings
Establishing Device High Availability
7000 and 8000 Series Device High Availability
AccessSupported DomainsSupported DevicesClassic LicenseSmart License
Note
This procedure describes establishing a 7000 & 8000 Series device high-availability pair. For information on
establishing Firepower Threat Defense high availability, see Add a Firepower Threat Defense High Availability
Pair.
When establishing a 7000 & 8000 Series device high-availability pair, you designate one of the devices or
stacks as active and the other as standby. The system applies a merged configuration to the paired devices. If
there is a conflict, the system applies the configuration from the device or stack you designated as active.
In a multidomain deployment, devices in a high-availability pair must belong to the same domain.
Before you begin
• Confirm that all requirements are met; see Device High Availability Requirements, on page 2.
Procedure
Step 1 Choose Devices > Device Management.
Step 2 From the Add drop-down menu, choose Add High Availability.
Step 3 Enter a Name.
Step 4 Under Device Type, choose Firepower.
Step 5 Assign roles for the devices or stacks:
a) Choose the Active Peer device or stack for the high-availability pair.
b) Choose the Standby Peer device or stack for the high-availability pair.
Any7000 & 8000 SeriesControlN/A
Admin/Network
Admin
Step 6 Click Add. The process takes a few minutes as the system synchronizes data.
What to do next
Create an HA Link interface on each of the devices in the high-availability pair if you plan to set up HA state
sharing, dynamic NAT, or VPN with the devices. For more information on HA link interfaces, see Configuring
HA Link Interfaces.
7000 and 8000 Series Device High Availability
6
Loading...