« HA Features on ASA - Part 1 Security Contexts | Main | Building Lab 1 »

HA Features on ASA - Part 2 Security Contexts

At this point, I'd like to point out something about the material in the previous post.

Lab Equipment list: Cisco Adaptive Security Appliance 5512-X: 9.6.1
ASA 5512-X >> Clustering - 2 || Contexts 2 Optional: 5 || Failover - Active/Active or Active/Standby
(note: no support for clustering, contexts or failover in base license - all items require Security Plus License)

INE Equipment list (Version 4):
ASA 1 | ASA 2 - 5510 running 8.4 or 8.2
ASA 3 | ASA 4 - 5515X running 8.6 (1)
ASA 5515-X >> Clustering - 2 || Contexts 2 Optional: 5 || Failover - Active/Active or Active/Standby

So it looks like the only "issue" is that the ASAs are not running the proper version for V5. A quick look at the workbook does look like there are some exercises that can be adapted to this topic - although they need to be practiced out of order. And it may be a blessing in disguise - if the 9.6 CLI guide is used for a configuration source and the 8.6 image is on the actual rack - then we're going to find out exactly which sections/configurations are different and how they differ.

I'm keeping a lab notebook with me as I write and practice. Anything that is different between what we have available now and the test standard will be noted. Then, once version 5 racks are available, those exercises can be repeated. I really doubt that I'll buzz through the entire blueprint before spring. (But I don't want to sit idle waiting for the racks to be updated.)

Since I'm in the Workbook, let me list the sections that look relevant:

ASA Interface High Availability
ASA Firewall Contexts
ASA Active-Standby Failover
ASA Active-Active Failover
ASA Contexts Traffic Classification
ASA Contexts Resource Management

For good measure - Section 6
CBAC High Availability
ZBPF High Availability

Now that we've described what contexts are, let's take a look at the steps to configure them.


Step 1. Enable multiple security contexts globally
Step 2. Set up the system execution space
Step 3. Allocate the interfaces
Step 4. Specify a configuration URL
Step 5. Configure an admin context
Step 6. Configure a user context
Step 7. Manage the security contexts (optional)
Step 8. Resource Management (optional)

At this point, I need to step back and look at this. Something is becoming quite clear to me. The only way to do this in a way that I'm going to definitely remember it is to do this the way I would do it at work. I'm looking at the rack rentals and they are 8 tokens per hour. I really don't want to waste a minute of that time. So what does that sound like? A change window. I'm looking at the documentation, the task and the workbook information. I need to meld those three things together and come up with what I want to do during that precious hour. So if I had to perform this task at work during a change window, I would create a script.

I use the term "script" loosely here. It is not a script in the automation sense. It's a script in the entertainment sense of the word: the written text of a screenplay, specifically the one used in production or performance. I've worked in places where changes were scripted, optionally scripted and required to be scripted with peer review. I've used them even at places that didn't require a script - because it makes the change go much more smoothly. Normally these scripts are written in notepad. This is so you can copy and paste your commands without any formatting getting included. All the work is done up-front during the writing of the script. The change window (rack time) is used to implement / validate the script that is written. Using a script is also helpful since you can focus on the troubleshooting (if needed) instead of the implementation. I normally like to write my scripts with annotations and validations.

So the next question is: where do I put them? I was going to just upload the text files to a folder linked in the sidebar, but that could get messy quickly. So I created a new category/section and I will put them in a post. That should keep them organized and properly labelled. The section is titled "Adapted Labs for SecV5" in the sidebar.

The first exercise will be:

Create contexts and set up Active-Standby failover.
Configure stateless and stateful failover
Reset devices.
Create two more contexts and set up Active-Active failover.
Configure stateless and stateful failover
Reset devices
Configure interface-level failover - redundant interfaces
Configure interface-level failover - etherchannel
Configure these same things using the ASDM Failover Wizard
Monitor and troubleshoot failover

This may or may not be the final "flow" of activities, but that's the aim.


Powered by
Movable Type 3.2