CCIE Security V4 Technology Labs Section 5: Perimeter Security and Services - ASA Firewalls

Active-Active Failover
Last updated: May 10, 2013

Task
Implement stateful failover for firewall contexts CTX1 and CTX2 using two ASA units. ASA3 should be active for CTX1 and standby for CTX2. ASA4 should be active for CTX2 and standby for CTX1. Designate CTX1 as the admin context in your configuration. Ensure that R1 and R3 can ping R2. Apply NAT configurations and static routing to accomplish this. Use interface GigablitEthernet 0/2 as the stateful failover link with the IP addresses assigned according to the table and diagram. Disable outside interface monitoring and configure the firewall to monitor the inside sub-interfaces. Reduce the interface polling timers to the minimum.

ASA3 Addresses
Inside CTX1 CTX2 System 10.0.0.13 10.0.1.13 Outside 150.50.0.13 150.50.0.31 100.100.100.13 G0/2

ASA4 Addresses
Inside CTX1 CTX2 System 10.0.0.14 10.0.1.14 Outside 150.50.0.14 150.50.0.41 100.100.100.14 G0/2

Overview
When configuring failover, it is mandatory to set both firewall in either single or multiple context mode simultaneously. The firewall in multiple-context mode is configured for Active/Standby failover using the same commands entered under the system context. Failover interface is also configured under the system context. However, the multiple contexts mode has a unique failover feature known as Active/Active (A/A) failover. With A/A failover, one unit is active for a group of security contexts and standby for another group. At the same time, the other unit is active for the complimentary set of firewall contexts. Thus, there is no longer a single active and single standby untit; both units forward traffic at the same time. The concept of primary and secondary boxes still exists with respect to failover configuration; the primary unit replicates all system context configurations to the secondary unit. Active/Active failover is implemented by using failover groups. There can be two groups per failover pair. To implement A/A failover, you configure one firewall unit as primary for one group and secondary for another group. After this, you assign firewall contexts to the groups. Both firewalls become active for the failover group where they are assigned as primary, and standby for the group where they are assigned as secondary. If one units fails, the respective contexts will migrate to the working unit. Use the command f a i l o v e rg r o u p{ 1 | 2 } to enter the firewall group configuration. Under the group configuration, you can issue the command p r i m a r y or s e c o n d a r y to specify the firewall role for this group. Another important command here is p r e e m p t, which instructs the primary firewall to take over the contexts when it becomes active again. By default, if a unit fails and the other unit takes over, the contexts are not returned back automatically when the original unit comes back. By entering the preempt command, you enable lower-priority preemption behavior. Finally, to assign the context to a failover group, use the command j o i n f a i l o v e r g r o u p{ 1 | 2 } under the context creation mode, when logged in to the system context. It is important to note that failover is group wide. If a failover event occurs, the whole group fails over to the standby unity, meaning all contexts assigned to the single group. The last thing that differs for multiple context mode is interface monitoring. By default, all physical interfaces mapped to a context and configured with the IP addresses are monitored. The monitored interface statistics are aggregated per group. As soon as the number of failed interfaces exceeds the per-group threshold, the whole group fails over to the standby unit. The command to monitor an interface is the same: m o n i t o r i n t e r f a c e< i n t e r f a c e n a m e >; but in A/A failover, you apply it when logged in to a particular context. Failover based on interface monitoring only works for Active/Active mode (not Active/Standby) because you cannot monitor any interfaces under the system context. Because of the group-wide failover behavior, the poll timers are now specific per group as well. To configure the timers, you must access the system context and enter the command f a i l o v e rg r o u p{ 1 | 2 } in configuration mode. Then use the command p o l l t i m ei n t e r f a c e. Here you can also set the interface-policy threshold, which applies to all failed interfaces within all contexts mapped to this group.

Configuration
ASA3:

c i s c o a s a ( c o n f i g ) #m o d em u l t i p l e

ASA4:

c i s c o a s a ( c o n f i g ) #m o d em u l t i p l e

ASA3/System:

h o s t n a m eR a c k 1 A S A ! !C o n f i g u r ep h y s i c a li n t e r f a c e s ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 0 n os h u t d o w n ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 1 n os h u t d o w n ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 1 . 1 1 v l a n1 1 n os h u t d o w n ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 1 . 1 3 v l a n1 3 n os h u t d o w n ! !C r e a t ec o n t e x tC T X 1a n da d di n t e r f a c e ! a d m i n c o n t e x tC T X 1 c o n t e x tC T X 1 d e s c r i p t i o n= =C T X 1 a l l o c a t e i n t e r f a c eG I g a b i t E t h e r n e t 0 / 0 a l l o c a t e i n t e r f a c eG I g a b i t E t h e r n e t 0 / 1 . 1 1 c o n f i g u r ld i s k 0 : / C T X 1 . c f g c o n t e x ta d m i n ! !C r e a t ec o n t e x tC T X 2 ! c o n t e x tC T X 2 d e s c r i p t i o n= =C T X 2 a l l o c a t e i n t e r f a c eG i g a b i t E t h e r n e t 0 / 0 a l l o c a t e i n t e r f a c eG i g a b i t E t h e r n e t 0 / 1 . 1 3 c o n f i g u r ld i s k 0 : / C T X 2 . c f g

ASA3/CTX1:

!C h a n g et oc o n t e x tC T X 1 ! c h a n g e t oc o n t e x tC T X 1 ! !C o n f i g u r es e c u r i t y l e v e l s&I Pa d d r e s s i n gf o ri n t e r f a c e s ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 1 . 1 1 n a m e i fi n s i d e s e c u r i t y l e v e l1 0 0 i pa d d r e s s1 0 . 0 . 0 . 1 32 5 5 . 2 5 5 . 2 5 5 . 0s t a n d b y1 0 . 0 . 0 . 1 4 ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 0 n a m e i fo u t s i d e s e c u r i t y l e v e l0 i pa d d r e s s1 5 0 . 5 0 . 0 . 1 32 5 5 . 2 5 5 . 2 5 5 . 0s t a n d b y1 5 0 . 5 0 . 0 . 1 4 ! !D y n a m i cP A To ns h a r e di n t e r f a c e ! o b j e c tn e t w o r ki n s i d e s u b n e t1 0 . 0 . 0 . 02 5 5 . 2 5 5 . 2 5 5 . 0 n a t( i n s i d e , o u t s i d e )d y n a m i ci n t e r f a c e ! ! !B a s i ca c c e s s l i s tt op e r m i tp i n g sf r o mi n s i d e ! a c c e s s l i s t O U T S I D E _ I Np e r m i ti c m pa n ya n ye c h o r e p l y a c c e s s g r o u pO U T S I D E _ I Ni ni n t e r f a c eo u t s i d e ! !I n t e r f a c eM o n i t o r i n g ! m o n i t o r i n t e r f a c ei n s i d e n om o n i t o r i n t e r f a c eo u t s i d e

ASA3/CTX2:

c h a n g e t oc o n t e x tC T X 2 ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 1 . 1 3 n a m e i fi n s i d e s e c u r i t y l e v e l1 0 0 i pa d d r e s s1 0 . 0 . 1 . 1 32 5 5 . 2 5 5 . 2 5 5 . 0s t a n d b y1 0 . 0 . 1 . 1 4 ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 0 n a m e i fo u t s i d e s e c u r i t y l e v e l0 i pa d d r e s s1 5 0 . 5 0 . 0 . 3 12 5 5 . 2 5 5 . 2 5 5 . 0s t a n d b y1 5 0 . 5 0 . 0 . 4 1 ! !N A Tc o n f i g s ! o b j e c tn e t w o r ki n s i d e s u b n e t1 0 . 0 . 1 . 02 5 5 . 2 5 5 . 2 5 5 . 0 n a t( i n s i d e , o u t s i d e )d y n a m i ci n t e r f a c e ! ! !A c c e s s c o n t r o lr u l e st op e r m i tp i n g s ! a c c e s s l i s t O U T S I D E _ I Np e r m i ti c m pa n ya n ye c h o r e p l y a c c e s s g r o u pO U T S I D E _ I Ni ni n t e r f a c eo u t s i d e ! !I n t e r f a c eM o n i t o r i n g ! m o n i t o r i n t e r f a c ei n s i d e n om o n i t o r i n t e r f a c eo u t s i d e

SW1:

! !E n a b l et h et r u n ki n t e r f a c e sf o rt h ei n s i d e . ! i n t e r f a c eF a s t E t h e r n e t 0 / 1 7 s w i t c h p o r tt r u n ke n c a p s u l a t i o nd o t 1 q s w i t c h p o r tm o d et r u n k s p a n n i n g t r e ep o r t f a s t n os h u t d o w n ! i n t e r f a c eF a s t E t h e r n e t 0 / 1 9 s w i t c h p o r tt r u n ke n c a p s u l a t i o nd o t 1 q s w i t c h p o r tm o d et r u n k s p a n n i n g t r e ep o r t f a s t n os h u t d o w n

SW2:

!E n a b l et h eF a i l o v e ri n t e r f a c e s ! i n tr a n g ef 0 / 1 7 ,f 0 / 1 9 s w i t c h p o r th o s t s w i t c h p o r ta c c e s sv l a n1 0 0 !

ASA3/System:

! !F a i l o v e rc o n f i g sf o l l o w ! c h a n g e t os y s t e m ! !E n a b l et h ef a i l o v e ri n t e r f a c e ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 2 n os h u t d o w n ! !C o n f i g u r ef a i l o v e rs e t t i n g s ! f a i l o v e rl a nu n i tp r i m a r y f a i l o v e rl a ni n t e r f a c ef a i l o v e rG i g a b i t E t h e r n e t 0 / 2 f a i l o v e rl i n kf a i l o v e rG i g a b i t E t h e r n e t 0 / 2 f a i l o v e ri n t e r f a c ei pf a i l o v e r1 0 0 . 1 0 0 . 1 0 0 . 1 32 5 5 . 2 5 5 . 2 5 5 . 0s t a n d b y1 0 0 . 1 0 0 . 1 0 0 . 1 4 ! !C o n f i g u r ef a i l o v e rg r o u p s f a i l o v e rg r o u p1 p r i m a r y p r e e m p t i n t e r f a c e p o l i c y1 p o l l t i m ei n t e r f a c em s e c5 0 0h o l d t i m e5 ! f a i l o v e rg r o u p2 s e c o n d a r y p r e e m p t i n t e r f a c e p o l i c y1 p o l l t i m ei n t e r f a c em s e c5 0 0h o l d t i m e5 ! ! c o n t e x tC T X 1 j o i n f a i l o v e r g r o u p1 ! c o n t e x tC T X 2 j o i n f a i l o v e r g r o u p2 ! ! ! f a i l o v e r !

ASA4:

! !E n a b l ef a i l o v e ri n t e r f a c e ! i n t e r f a c eG i g a b i t E t h e r n e t 0 / 2 n os h u t d o w n ! f a i l o v e rl a nu n i ts e c o n d a r y f a i l o v e rl a ni n t e r f a c ef a i l o v e rG i g a b i t E t h e r n e t 0 / 2 f a i l o v e rl i n kf a i l o v e rG i g a b i t E t h e r n e t 0 / 2 f a i l o v e ri n t e r f a c ei pf a i l o v e r1 0 0 . 1 0 0 . 1 0 0 . 1 32 5 5 . 2 5 5 . 2 5 5 . 0s t a n d b y1 0 0 . 1 0 0 . 1 0 0 . 1 4 f a i l o v e r

Verification
Verify the failover pair status in ASA3. Notice that ASA3 is active for group 1 and standby for group 2. Also notice that the outside interfaces are not monitored per out configuration.

R a c k 1 A S A ( c o n f i g ) #s hf a i l o v e r F a i l o v e rO n F a i l o v e ru n i tP r i m a r y F a i l o v e rL A NI n t e r f a c e :f a i l o v e rG i g a b i t E t h e r n e t 0 / 2( u p ) U n i tP o l lf r e q u e n c y1s e c o n d s ,h o l d t i m e1 5s e c o n d s I n t e r f a c eP o l lf r e q u e n c y5s e c o n d s ,h o l d t i m e2 5s e c o n d s I n t e r f a c eP o l i c y1 M o n i t o r e dI n t e r f a c e s2o f1 1 4m a x i m u m V e r s i o n :O u r s8 . 6 ( 1 ) 2 ,M a t e8 . 6 ( 1 ) 2 G r o u p1l a s tf a i l o v e ra t :1 1 : 2 8 : 4 2U T CA p r1 02 0 1 3 G r o u p2l a s tf a i l o v e ra t :1 1 : 2 9 : 2 7U T CA p r1 02 0 1 3 T h i sh o s t : G r o u p1 G r o u p2 P r i m a r y S t a t e : A c t i v et i m e : S t a t e : A c t i v et i m e : A c t i v e 1 7 7( s e c ) S t a n d b yR e a d y 4 4( s e c )

s l o t0 :A S A 5 5 1 5h w / s wr e v( 1 . 0 / 8 . 6 ( 1 ) 2 )s t a t u s( U pS y s ) C T X 1I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 3 ) :N o r m a l( M o n i t o r e d ) C T X 1I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 1 3 ) :N o r m a l( N o t M o n i t o r e d ) C T X 2I n t e r f a c ei n s i d e( 1 0 . 0 . 1 . 1 4 ) :N o r m a l( M o n i t o r e d ) C T X 2I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 4 1 ) :N o r m a l( N o t M o n i t o r e d ) s l o t1 :I P S 5 5 1 5h w / s wr e v( N / A / )s t a t u s( U n r e s p o n s i v e / U p )

O t h e rh o s t : G r o u p1 G r o u p2

S e c o n d a r y S t a t e : A c t i v et i m e : S t a t e : A c t i v et i m e : S t a n d b yR e a d y 0( s e c ) A c t i v e 1 3 2( s e c )

s l o t0 :A S A 5 5 1 5h w / s wr e v( 1 . 0 / 8 . 6 ( 1 ) 2 )s t a t u s( U pS y s ) C T X 1I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 4 ) :N o r m a l( M o n i t o r e d ) C T X 1I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 1 4 ) :N o r m a l( N o t M o n i t o r e d ) C T X 2I n t e r f a c ei n s i d e( 1 0 . 0 . 1 . 1 3 ) :N o r m a l( M o n i t o r e d ) C T X 2I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 3 1 ) :N o r m a l( N o t M o n i t o r e d ) s l o t1 :I P S 5 5 1 5h w / s wr e v( N / A / )s t a t u s( U n r e s p o n s i v e / U p ) S t a t e f u lF a i l o v e rL o g i c a lU p d a t eS t a t i s t i c s L i n k:f a i l o v e rG i g a b i t E t h e r n e t 0 / 2( u p ) S t a t e f u lO b j G e n e r a l s y sc m d u pt i m e R P Cs e r v i c e s T C Pc o n n U D Pc o n n A R Pt b l X l a t e _ T i m e o u t I P v 6N Dt b l S I PS e s s i o n R o u t eS e s s i o n U s e r I d e n t i t y x m i t 2 2 1 9 0 0 0 0 0 0 0 0 0 3 x e r r 0 0 0 0 0 0 0 0 0 0 0 0 r c v 1 9 1 9 0 0 0 0 0 0 0 0 0 0 r e r r 0 0 0 0 0 0 0 0 0 0 0 0

L o g i c a lU p d a t eQ u e u eI n f o r m a t i o n C u r R e c vQ : X m i tQ : R a c k 1 A S A ( c o n f i g ) # 0 0 M a x 1 2 T o t a l 2 0 2 3

On R1, we telnet to R2.

R a c k 1 R 1 # t e l n e t1 5 0 . 5 0 . 0 . 2 T r y i n g1 5 0 . 5 0 . 0 . 2. . .O p e n

U s e rA c c e s sV e r i f i c a t i o n P a s s w o r d : R a c k 1 R 2 >

Look at the connections inside CTX1.

R a c k 1 A S A / C T X 1 ( c o n f i g ) #s hc o n n 3i nu s e ,7m o s tu s e d T C Po u t s i d e1 5 0 . 5 0 . 0 . 2 : 2 3i n s i d e1 0 . 0 . 0 . 1 : 2 9 9 1 6 ,i d l e0 : 0 0 : 4 0 ,b y t e s1 1 0 ,f l a g sU I O R a c k 1 A S A / C T X 1 ( c o n f i g ) #

Look at the monitor status.

R a c k 1 A S A / C T X 1 ( c o n f i g ) #s h o wm o n i t o r i n t e r f a c e T h i sh o s t :P r i m a r y-A c t i v e I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 3 ) :N o r m a l( M o n i t o r e d ) O t h e rh o s t :S e c o n d a r y-S t a n d b yR e a d y I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 4 ) :N o r m a l( M o n i t o r e d ) R a c k 1 A S A / C T X 1 ( c o n f i g ) #

Configure SW1 to filter VLAN 11 from the trunk link connecting to ASA3s GigabitEthernet 0/1 interface. This will make CTX1's inside interface connectivity test fail and force failover. As a result, ASA4 will become active for both contexts.

R a c k 1 S W 1 ( c o n f i g i f ) # i n tf 0 / 1 7 R a c k 1 S W 1 ( c o n f i g i f ) # s w it r u n ka l l o w e dv l a nr e m o v e1 1

Now look at the monitoring.

R a c k 1 A S A / C T X 1 ( c o n f i g ) #s h o wm o n i t o r i n t e r f a c e T h i sh o s t :P r i m a r y-F a i l e d I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 4 ) :F a i l e d( W a i t i n g ) O t h e rh o s t :S e c o n d a r y-A c t i v e I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 3 ) :N o r m a l( W a i t i n g ) R a c k 1 A S A / C T X 1 ( c o n f i g ) #

Check the failover status again. This time, notice that ASA4 is active for both groups, and ASA3 marks group 1 as Failed.

R a c k 1 A S A / C T X 1 ( c o n f i g ) #s h o wf a i l o v e r F a i l o v e rO n L a s tF a i l o v e ra t :1 1 : 3 7 : 1 4U T CA p r1 02 0 1 3 T h i sc o n t e x t :F a i l e d A c t i v et i m e :5 1 1( s e c ) I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 4 ) :F a i l e d( W a i t i n g ) I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 1 4 ) :N o r m a l( N o t M o n i t o r e d ) P e e rc o n t e x t :A c t i v e A c t i v et i m e :8 0( s e c ) I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 3 ) :N o r m a l( W a i t i n g ) I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 1 3 ) :N o r m a l( N o t M o n i t o r e d ) S t a t e f u lF a i l o v e rL o g i c a lU p d a t eS t a t i s t i c s S t a t u s :C o n f i g u r e d . S t a t e f u lO b j R P Cs e r v i c e s T C Pc o n n U D Pc o n n A R Pt b l X l a t e _ T i m e o u t I P v 6N Dt b l S I PS e s s i o n R o u t eS e s s i o n U s e r I d e n t i t y R a c k 1 A S A / C T X 1 ( c o n f i g ) # x m i t 0 2 0 2 0 0 0 0 1 x e r r 0 0 0 0 0 0 0 0 0 r c v 0 0 0 0 0 0 0 0 0 r e r r 0 0 0 0 0 0 0 0 0

Another thing to note here is that we issued the show failover in the context CTX1. You'll notice that the output does not show both groups. Move to the system context and issue the command again.

R a c k 1 A S A / C T X 1 ( c o n f i g ) # c h a n g e t os y s t e R a c k 1 A S A ( c o n f i g ) #s h o wf a i l o v e r F a i l o v e rO n

F a i l o v e ru n i tP r i m a r y F a i l o v e rL A NI n t e r f a c e :f a i l o v e rG i g a b i t E t h e r n e t 0 / 2( u p ) U n i tP o l lf r e q u e n c y1s e c o n d s ,h o l d t i m e1 5s e c o n d s I n t e r f a c eP o l lf r e q u e n c y5s e c o n d s ,h o l d t i m e2 5s e c o n d s I n t e r f a c eP o l i c y1 M o n i t o r e dI n t e r f a c e s2o f1 1 4m a x i m u m V e r s i o n :O u r s8 . 6 ( 1 ) 2 ,M a t e8 . 6 ( 1 ) 2 G r o u p1l a s tf a i l o v e ra t :1 1 : 3 7 : 1 4U T CA p r1 02 0 1 3 G r o u p2l a s tf a i l o v e ra t :1 1 : 2 9 : 2 7U T CA p r1 02 0 1 3 T h i sh o s t : G r o u p1 G r o u p2 P r i m a r y S t a t e : A c t i v et i m e : S t a t e : A c t i v et i m e : F a i l e d 5 1 1( s e c ) S t a n d b yR e a d y 4 4( s e c )

s l o t0 :A S A 5 5 1 5h w / s wr e v( 1 . 0 / 8 . 6 ( 1 ) 2 )s t a t u s( U pS y s ) C T X 1I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 4 ) :F a i l e d( W a i t i n g ) C T X 1I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 1 4 ) :N o r m a l( N o t M o n i t o r e d ) C T X 2I n t e r f a c ei n s i d e( 1 0 . 0 . 1 . 1 4 ) :N o r m a l( M o n i t o r e d ) C T X 2I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 4 1 ) :N o r m a l( N o t M o n i t o r e d ) s l o t1 :I P S 5 5 1 5h w / s wr e v( N / A / )s t a t u s( U n r e s p o n s i v e / U p ) O t h e rh o s t : G r o u p1 G r o u p2 S e c o n d a r y S t a t e : A c t i v et i m e : S t a t e : A c t i v et i m e : A c t i v e 1 7 7( s e c ) A c t i v e 6 4 4( s e c )

s l o t0 :A S A 5 5 1 5h w / s wr e v( 1 . 0 / 8 . 6 ( 1 ) 2 )s t a t u s( U pS y s ) C T X 1I n t e r f a c ei n s i d e( 1 0 . 0 . 0 . 1 3 ) :N o r m a l( W a i t i n g ) C T X 1I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 1 3 ) :N o r m a l( N o t M o n i t o r e d ) C T X 2I n t e r f a c ei n s i d e( 1 0 . 0 . 1 . 1 3 ) :N o r m a l( M o n i t o r e d ) C T X 2I n t e r f a c eo u t s i d e( 1 5 0 . 5 0 . 0 . 3 1 ) :N o r m a l( N o t M o n i t o r e d ) s l o t1 :I P S 5 5 1 5h w / s wr e v( N / A / )s t a t u s( U n r e s p o n s i v e / U p ) S t a t e f u lF a i l o v e rL o g i c a lU p d a t eS t a t i s t i c s L i n k:f a i l o v e rG i g a b i t E t h e r n e t 0 / 2( u p ) S t a t e f u lO b j G e n e r a l s y sc m d u pt i m e R P Cs e r v i c e s T C Pc o n n U D Pc o n n A R Pt b l X l a t e _ T i m e o u t x m i t 9 4 8 7 0 0 2 0 2 0 x e r r 0 0 0 0 0 0 0 0 r c v 8 7 8 7 0 0 0 0 0 0 r e r r 0 0 0 0 0 0 0 0

I P v 6N Dt b l S I PS e s s i o n R o u t eS e s s i o n U s e r I d e n t i t y

0 0 0 3

0 0 0 0

0 0 0 0

0 0 0 0

L o g i c a lU p d a t eQ u e u eI n f o r m a t i o n C u r R e c vQ : X m i tQ : R a c k 1 A S A ( c o n f i g ) # 0 0 M a x 1 2 T o t a l 8 7 9 4

While all of this is happening, we should still be connected to R2 from R1.

R a c k 1 R 2 >_ \ < e n t e r > _ R a c k 1 R 2 >_ \ < e n t e r > _ R a c k 1 R 2 > s hi pi n tb r i e I n t e r f a c e c o l G i g a b i t E t h e r n e t 0 / 0 G i g a b i t E t h e r n e t 0 / 1 G i g a b i t E t h e r n e t 0 / 2 1 5 0 . 5 0 . 0 . 2 1 5 0 . 5 1 . 0 . 2 u n a s s i g n e d Y E Sm a n u a lu p Y E Sm a n u a lu p u p u p I P A d d r e s s O K ?M e t h o dS t a t u s P r o t o

Y E Su n s e t a d m i n i s t r a t i v e l yd o w nd o w n

R a c k 1 R 2 > _ \ < c t r l + s h i f t + sx > _ R a c k 1 R 1 # _ \ < e n t e r > _ [ R e s u m i n gc o n n e c t i o n1t o1 5 0 . 5 0 . 0 . 2. . .] R a c k 1 R 2 >

And we should be able to go from R3 to R2 via context CTX2.

R a c k 1 R 3 # t e l n e t1 5 0 . 5 0 . 0 . 2 T r y i n g1 5 0 . 5 0 . 0 . 2. . .O p e n

U s e rA c c e s sV e r i f i c a t i o n P a s s w o r d : R a c k 1 R 2 >