About 7000 and 8000 Series Device High Availability
With 7000 and 8000 Series device high availability, you can establish redundancy of networking functionality and configuration data between two peer devices or two peer device stacks.
You achieve configuration redundancy by configuring two peer devices or two peer device stacks into a high-availability pair to act as a single logical system for policy deploys, system updates, and registration. The system automatically synchronizes other configuration data.
Note |
Static routes, non-SFRP IP addresses, and routing priorities are not synchronized between the peer devices or peer device stacks. Each peer device or peer device stack maintains its own routing intelligence. |
Device High Availability Requirements
Before you can configure a 7000 and 8000 Series device high-availability pair, the following must be true:
-
You can only pair single devices with single devices or device stacks with device stacks.
-
Both devices or device stacks must have normal health status, be running the same software, and have the same licenses. See Using the Health Monitor for more information. In particular, the devices cannot have hardware failures that would cause them to enter maintenance mode and trigger a failover.
Note
After you pair the devices, you cannot change the license options for individual paired devices, but you can change the license for the entire high-availability pair.
-
Interfaces must be configured on each device or each primary device in a stack.
-
Both devices or the primary members of the device stacks must be the same model and have identical copper or fiber interfaces.
-
Device stacks must have identical hardware configurations, except for an installed malware storage pack. For example, you can pair a Firepower 8290 with another 8290. None, one, or all devices in either stack might have a malware storage pack.
Caution
Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an unsupported hard drive may damage the device. Malware storage pack kits are available for purchase only from Cisco, and are for use only with 8000 Series devices. Contact Support if you require assistance with the malware storage pack. See the Firepower System Malware Storage Pack Guide for more information.
-
If the devices are targeted by NAT policies, both peers must have the same NAT policy.
-
In a multidomain deployment, you can only establish 7000 or 8000 Series device high-availability or device stacks within a leaf domain.
Note |
After failover and recovery, SFRP preempts to the primary node. |
Device High Availability Failover and Maintenance Mode
With a 7000 and 8000 Series device high availability, the system fails over either manually or automatically. You manually trigger failover by placing one of the paired devices or stacks in maintenance mode.
Automatic failover occurs after the health of the active device or stack becomes compromised, during a system update, or after a user with Administrator privileges shuts down the device. Automatic failover also occurs after an active device or device stack experiences NMSB failure, NFE failure, hardware failure, firmware failure, critical process failure, a disk full condition, or link failure between two stacked devices. If the health of the standby device or stack becomes similarly compromised, the system does not fail over and enters a degraded state. The system also does not fail over when one of the devices or device stacks is in maintenance mode. Note that disconnecting the stacking cable from an active stack sends that stack into maintenance mode. Shutting down the secondary device in an active stack also sends that stack into maintenance mode.
Note |
If the active member of the high-availability pair goes into maintenance mode and the active role fails over to the other pair member, when the original active pair member is restored to normal operation it does not automatically reclaim the active role. |
Configuration Deployment and Upgrade Behavior for High-Availability Pairs
This topic describes upgrade and deployment behavior for 7000 and 8000 Series devices (and stacks) in high availability pairs.
Behavior During Deploy
You deploy configuration changes to the members of a high availability pair at the same time. Deploy either succeeds or fails for both peers. The Firepower Management Center deploys to the active device; if that succeeds then changes are deployed to the standby.
Caution |
When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations restarts the Snort process, which interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See SnortĀ® Restart Traffic Behavior and Configurations that Restart the Snort Process When Deployed or Activated. |
Behavior During Upgrade
You should not experience interruptions in traffic flow or inspection while upgrading devices (or device stacks) in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devices operate in maintenance mode while they upgrade.
Which peer upgrades first depends on your deployment:
-
Routed or switchedāStandby upgrades first. The devices switch roles, then the new standby upgrades. When the upgrade completes, the devices' roles remain switched. If you want to preserve the active/standby roles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.
-
Access control onlyā Active upgrades first. When the upgrade completes, the active and standby maintain their old roles.
Deployment Types and Device High Availability
You determine how to configure 7000 or 8000 Series device high availability depending on your Firepower System deployment: passive, inline, routed, or switched. You can also deploy your system in multiple roles at once. Of the four deployment types, only passive deployments require that you configure devices or stacks using high availability to provide redundancy. You can establish network redundancy for the other deployment types with or without device high availability. For a brief overview on high availability in each deployment type, see the sections below.
Note |
You can achieve Layer 3 redundancy without using device high availability by using the Cisco Redundancy Protocol (SFRP). SFRP allows devices to act as redundant gateways for specified IP addresses. With network redundancy, you configure two devices or stacks to provide identical network connections, ensuring connectivity for other hosts on the network. |
Passive Deployment Redundancy
Passive interfaces are generally connected to tap ports on central switches, which allows them to analyze all of the traffic flowing across the switch. If multiple devices are connected to the same tap feed, the system generates events from each of the devices. When configured in a high-availability pair, devices act as either active or standby, which allows the system to analyze traffic even in the event of a system failure while also preventing duplicate events.
Inline Deployment Redundancy
Because an inline set has no control over the routing of the packets being passed through it, it must always be active in a deployment. Therefore, redundancy relies on external systems to route traffic correctly. You can configure redundant inline sets with or without 7000 or 8000 Series device high availability.
To deploy redundant inline sets, you configure the network topology so that it allows traffic to pass through only one of the inline sets while preventing circular routing. If one of the inline sets fails, the surrounding network infrastructure detects the loss of connectivity to the gateway address and adjusts the routes to send traffic through the redundant set.
Routed Deployment Redundancy
Hosts in an IP network must use a well-known gateway address to send traffic to different networks. Establishing redundancy in a routed deployment requires that routed interfaces share the gateway addresses so that only one interface handles traffic for that address at any given time. To accomplish this, you must maintain an equal number of IP addresses on a virtual router. One interface advertises the address. If that interface goes down, the standby interface begins advertising the address.
In devices that are not members of a high-availability pair, you use SFRP to establish redundancy by configuring gateway IP addresses shared between multiple routed interfaces. You can configure SFRP with or without 7000 or 8000 Series device high availability. You can also establish redundancy using dynamic routing such as OSPF or RIP.
Switched Deployment Redundancy
You establish redundancy in a switched deployment using the Spanning Tree Protocol (STP), one of the advanced virtual switch settings. STP is a protocol that manages the topology of bridged networks. It is specifically designed to allow redundant links to provide automatic standby for switched interfaces without configuring standby links. Devices in a switched deployment rely on STP to manage traffic between redundant interfaces. Two devices connected to the same broadcast network receive traffic based on the topology calculated by STP.
Note |
Cisco strongly recommends that you enable STP when configuring a virtual switch that you plan to deploy in a 7000 or 8000 Series device high-availability pair. |
7000/8000 Series High Availability Configuration
When establishing 7000 or 8000 Series device high availability, you designate one of the devices or stacks as active and the other as standby. The system applies a merged configuration to the paired devices. If there is a conflict, the system applies the configuration from the device or stack you designated as active.
After you pair the devices, you cannot change the license options for individual paired devices, but you can change the license for the entire high availability pair. If there are interface attributes that need to be set on switched interfaces or routed interfaces, the system establishes the high availability pair, but sets it to a pending status. After you configure the necessary attributes, the system completes the high availability pair and sets it to a normal status.
After you establish a high availability pair, the system treats the peer devices or stacks as a single device on the Device Management page. Device high availability pairs display the High Availability icon () in the appliance list. Any configuration changes you make are synchronized between the paired devices. The Device Management page displays which device or stack in the high availability pair is active, which changes after manual or automatic failover.
Removing registration of a device high availability pair from a Firepower Management Center removes registration from both devices or stacks. You remove a device high availability pair from the FMC as you would an individual managed device.
You can then register the high availability pair on another FMC. To register single devices from a high availability pair, you add remote management to the active device in the pair and then add that device to the FMC, which adds the whole pair. To register stacked devices in a high availability pair, you add remote management to the primary device of the either stack and then add that device to the FMC, which adds the whole pair.
After you establish a device high availability pair, you should configure a high-availability link interface.
Note |
If you plan to set up dynamic NAT, HA state sharing, or VPN using the devices in the high availability pair, you must configure a high-availability link interface. For more information, see Configuring HA Link Interfaces. |