|
0:00:13
|
In our next section here for the asa we are going to look at the active active failover for the transparent firewall
|
|
0:00:20
|
where again active active failover is used for one physical box to forward for one context
|
|
0:00:26
|
while another physical box is forwarding for another physical context
|
|
0:00:31
|
so if we look at the topology here, we already have the multi context setup
|
|
0:00:35
|
where between router3 and router4
|
|
0:00:39
|
we have a transparent mode firewall that is bridging the traffic between VLANs 114 and 113
|
|
0:00:45
|
and then another one that is down here between VLANs 116 and 115
|
|
0:00:50
|
so since we already have all of the base configuration on one of the firewalls
|
|
0:00:55
|
the only other thing that we need to do is now configure the failover
|
|
0:00:59
|
fail the configuration over to the second asa
|
|
0:01:02
|
then once they are synchronized in the configuration
|
|
0:01:05
|
decide which part is going to be active for which particular failover group
|
|
0:01:12
|
Now just like the active active failover for the routed firewall
|
|
0:01:16
|
there is some configurations that are going to go in the system context
|
|
0:01:20
|
and there are some configurations that are going to go in the user context
|
|
0:01:24
|
mainly the configuration that is going to go in the system context
|
|
0:01:27
|
is related to any of the physical interface parameters
|
|
0:01:31
|
which in our case is going to be
|
|
0:01:33
|
what is the particular interface that is used for failover
|
|
0:01:37
|
what are the timers that we are using for
|
|
0:01:40
|
the overall failover units
|
|
0:01:42
|
So how often are we polling on the failover link
|
|
0:01:45
|
are we using state-full failover on that interface
|
|
0:01:48
|
and are we the primary units
|
|
0:01:51
|
and if we are the primary unit which particular failover groups is that going to be applied to
|
|
0:01:58
|
so our first step
|
|
0:02:00
|
before we actually change any of these, lets save the configuration
|
|
0:02:03
|
on the first asa
|
|
0:02:05
|
because again if we do this in the wrong order I want to make sure that I am not going to
|
|
0:02:08
|
fail the blank configuration over
|
|
0:02:11
|
from the secondary device
|
|
0:02:14
|
Now on the second asa when we look at the show mode and the show firewall
|
|
0:02:18
|
we could see right now that this is running in router
|
|
0:02:21
|
mode or routed mode for the firewall
|
|
0:02:23
|
so I do need to make sure that this is running in transparent
|
|
0:02:28
|
So firewall transparent
|
|
0:02:33
|
next I would want to make sure that the physical links
|
|
0:02:36
|
are enabled
|
|
0:02:38
|
because obviously we are not going to be able to communicate if the links are in the shut down state
|
|
0:02:44
|
and the same will be true of asa1, so if we look at the show run output
|
|
0:02:49
|
the ethernet0/0, ethernet0/1
|
|
0:02:52
|
ethernet0/2, these are the three main interfaces that I am using for this configuration
|
|
0:02:57
|
where two of them
|
|
0:02:59
|
e0/0 e0/1 thats for the actual user traffic in the user context
|
|
0:03:05
|
then e0/2 this is going to be for my failover
|
|
0:03:10
|
So also I will then need to look at the layer2 configuration of the switches
|
|
0:03:14
|
and make sure that it is identical for the vlan
|
|
0:03:17
|
assignment for any of the trunking
|
|
0:03:19
|
between asa1 and 2
|
|
0:03:21
|
because when the failover occurs, I want to make sure that there is not any problems in the layer2
|
|
0:03:26
|
forwarding of traffic
|
|
0:03:30
|
So for our failover configuration
|
|
0:03:32
|
the first thing we are going to do on the primary asa
|
|
0:03:36
|
is specify that we are going to
|
|
0:03:38
|
run failover and we are going to be the
|
|
0:03:40
|
primary units, so we running LAN based failover
|
|
0:03:44
|
this unit is going to be the primary one
|
|
0:03:47
|
So the primary mainly means that we are going to be replicating the configuration down
|
|
0:03:51
|
to the other device
|
|
0:03:53
|
doesn't necessarily relate to whether you are in the active mode or the standby mode
|
|
0:03:57
|
for the actual traffic forwarding
|
|
0:04:01
|
Next time you just specify whats the interface, I am doing to do the failover over
|
|
0:04:05
|
this case we are going to use ethernet0/2
|
|
0:04:09
|
so we will say failover the LAN interface
|
|
0:04:13
|
give it a name, I will call it failover
|
|
0:04:16
|
and then the physical link name, which in this case is ethernet 0/2
|
|
0:04:22
|
now if we were to do state-full failover
|
|
0:04:24
|
this would be with the failover link command
|
|
0:04:28
|
now again you don't necessarily have to use the same interface
|
|
0:04:31
|
for the LAN based and the
|
|
0:04:33
|
statefull failover
|
|
0:04:35
|
for a larger scale deployments, you would typically want to use separate interfaces
|
|
0:04:41
|
so I will say again here, this is going to be the
|
|
0:04:44
|
the interface with the name failover
|
|
0:04:48
|
that is physically
|
|
0:04:51
|
ethernet0/2
|
|
0:04:56
|
Now just like in routed mode, I am going to be
|
|
0:04:58
|
polling the other device in two different ways
|
|
0:05:01
|
with special layer2 keep alives
|
|
0:05:03
|
and then also with icmp pings
|
|
0:05:06
|
for the icmp
|
|
0:05:07
|
this is the reason that I need on the failover interface
|
|
0:05:10
|
an ip address
|
|
0:05:12
|
so for the interface called failover
|
|
0:05:15
|
the primary address
|
|
0:05:17
|
doesn't really matter what this is, as long as its on the same subnet between the two devices
|
|
0:05:21
|
so no one else in the network needs to route towards this
|
|
0:05:24
|
we will give it any address, we will say
|
|
0:05:26
|
10.0.1.11
|
|
0:05:30
|
and the other device will be 10.0.1.12
|
|
0:05:40
|
that is for the
|
|
0:05:42
|
standby, standby is going to be 10.0.1.12
|
|
0:05:49
|
Now since we are running in multiple context mode
|
|
0:05:51
|
I am also going to be needing two different failover groups
|
|
0:05:55
|
then the failover groups are going to be assigned to individual context
|
|
0:05:59
|
So I have failover group 1
|
|
0:06:03
|
also this is where we will set whats the interface policy
|
|
0:06:07
|
for how many links inside of the context need to go down before the failover occurs
|
|
0:06:13
|
or other options like whats the poll time for the interface
|
|
0:06:17
|
so if I wanted to speed the convergence time, I would set the poll time lower
|
|
0:06:23
|
lets say the poll time is going to be 1 second
|
|
0:06:26
|
and the whole time, we will set to 5 seconds
|
|
0:06:30
|
so for both group number 1 and group number 2
|
|
0:06:36
|
if we now look at the show run context
|
|
0:06:39
|
for context r3 r4
|
|
0:06:42
|
this is going to join one of the failover groups
|
|
0:06:46
|
and the same with the
|
|
0:06:48
|
the other context, this is going to be in the separate group
|
|
0:06:51
|
so this is what is allowing them to be active active
|
|
0:06:55
|
we can be active for one failover group and standby for the other
|
|
0:06:59
|
while the other physical device is the opposite its standby for first failover group and then active for the second one
|
|
0:07:07
|
So now lets look over our configuration here, if we say show run failover
|
|
0:07:13
|
this is the identical config that we are going to need on the other device
|
|
0:07:18
|
with the exception of what here
|
|
0:07:25
|
which going to change between asa1 and asa2
|
|
0:07:31
|
one of them is going to be primary and the other is going to be secondary
|
|
0:07:35
|
So the secondary unit, this is the one that is
|
|
0:07:37
|
is receiving the configuration in from the primary unit
|
|
0:07:43
|
then our very last step would be to actually enable
|
|
0:07:46
|
the failover command
|
|
0:07:48
|
So on asa2 we will give it these options
|
|
0:07:53
|
then on asa1 I am going to
|
|
0:08:03
|
Now there are couple of additional parameters that I still didn't get to
|
|
0:08:07
|
like the inside the individual context what interfaces are going to be monitored
|
|
0:08:12
|
and what are the addresses for the primary and standby devices in the context mode
|
|
0:08:17
|
but I am not going to configure this until I actually fail the configuration over first
|
|
0:08:22
|
because asa2 needs to create the context
|
|
0:08:26
|
to create the context you create the configuration files before we can actually make changes to them
|
|
0:08:33
|
we look at asa2 and look at the
|
|
0:08:36
|
the directory listing for the flash
|
|
0:08:38
|
we can see that we don't have
|
|
0:08:40
|
the actual files for the r3 and r4
|
|
0:08:44
|
context config
|
|
0:08:45
|
or for the r4, r5
|
|
0:08:47
|
where the r5, r6 context config
|
|
0:08:49
|
so until it actually has those files we can't really make changes to it
|
|
0:08:54
|
So I am going to fail the configuration over
|
|
0:08:56
|
or synchronize the configurations
|
|
0:08:59
|
then once that done, I am going to make my final changes
|
|
0:09:02
|
So on asa1 will say
|
|
0:09:04
|
failover thats going to turn it on
|
|
0:09:08
|
Same with the second asa
|
|
0:09:13
|
So ideally I should now see, that it says
|
|
0:09:16
|
you found the active mate and its beginning the replication from the mate
|
|
0:09:22
|
where on the other side, its saying, its sending it to
|
|
0:09:25
|
if this somehow got reversed, then I would be
|
|
0:09:28
|
failing over the blank configuration over the current one
|
|
0:09:33
|
and if I do that, worst case scenario, the only thing I need to do is reload
|
|
0:09:37
|
its going to then bring me back to my working configuration
|
|
0:09:43
|
now here it says for the individual groups, I don't have a response from the mate
|
|
0:09:47
|
this talking about the active active failover on the different context modes
|
|
0:09:53
|
so I need to make sure that
|
|
0:09:54
|
that the second device asa2 here actually has those context configured
|
|
0:09:59
|
in the files created
|
|
0:10:01
|
before I can do the final active active failover
|
|
0:10:07
|
Now one additional thing I may want to change in the system context mode again is the prompt
|
|
0:10:14
|
if we look at the show run all prompt
|
|
0:10:18
|
right now, the prompt is set
|
|
0:10:21
|
So that its going to show my host name, the context name and then its set
|
|
0:10:26
|
but I may want to tell it to show me not only the context name
|
|
0:10:30
|
the hostname and the context name
|
|
0:10:32
|
but I want to know what is your state, are you
|
|
0:10:35
|
the
|
|
0:10:37
|
the active device or the standby device
|
|
0:10:39
|
and then the priority, this would be, are you the
|
|
0:10:42
|
the primary or the secondary
|
|
0:10:45
|
so I want the priority
|
|
0:10:47
|
and the state, lets say the domain, so lets put all of them, on there
|
|
0:10:53
|
so we see this device is the primary one and its active
|
|
0:10:57
|
if I now say write mem all
|
|
0:11:01
|
this is going to save my system context
|
|
0:11:04
|
my admin contexts, my user contexts
|
|
0:11:07
|
and also replicate my configuration down to the other asa
|
|
0:11:14
|
So we should see now that this prompt is going to change
|
|
0:11:16
|
so that it says, this is the secondary
|
|
0:11:20
|
and it is the standby device
|
|
0:11:24
|
so now I am always going to be sure whether I am actually making the configuration changes on the correct device
|
|
0:11:38
|
Now lets look at the upward of the show failover
|
|
0:11:42
|
we can see that we are running active active failover
|
|
0:11:45
|
and the reason why I can tell this, is because its separating the failover output
|
|
0:11:50
|
into the two different groups
|
|
0:11:53
|
if it did not show this groups separately
|
|
0:11:56
|
where it says either active active
|
|
0:11:59
|
standby standby
|
|
0:12:00
|
or active standby or standby active
|
|
0:12:03
|
then I would be running in
|
|
0:12:06
|
just active standby failover
|
|
0:12:10
|
because in multiple context mode you technically could run either or
|
|
0:12:15
|
you could run normal active standby
|
|
0:12:17
|
which means that one physical box forwards for all contexts
|
|
0:12:21
|
or you could run active active
|
|
0:12:23
|
which is splitting them into different groups
|
|
0:12:26
|
and then assigning whether you are active or standby
|
|
0:12:29
|
on the individual group basis
|
|
0:12:34
|
but assuming that we want to utilize all of the physical resource at the same time
|
|
0:12:39
|
that we would prefer to use active standby
|
|
0:12:41
|
excuse me, we would prefer to use active active
|
|
0:12:44
|
as opposed to active standby
|
|
0:12:48
|
Now also note from this configuration
|
|
0:12:51
|
it says what about the interface policy here
|
|
0:12:56
|
says that the inside and outside interfaces, they are in their normal state
|
|
0:13:03
|
but they are not being monitored
|
|
0:13:08
|
So the asa is only checking on its failover link
|
|
0:13:11
|
whether the other device is up or down
|
|
0:13:15
|
So typically we would want to monitor this on all interfaces
|
|
0:13:19
|
so that if there is a failure of the outside interface we can failover
|
|
0:13:23
|
and likewise on the inside
|
|
0:13:26
|
now this is going to be configured under the individual context mode
|
|
0:13:31
|
So we are going to change to context r3 and r4
|
|
0:13:35
|
if we show run all
|
|
0:13:38
|
monitor-interface
|
|
0:13:41
|
and show run all ip address
|
|
0:13:45
|
we could see that default is that we are not monitoring the inside or outside
|
|
0:13:50
|
thats not what I want, I do want a monitor inside and outside
|
|
0:13:55
|
and to do this, I need to make sure that I have an address
|
|
0:13:59
|
for the standby device
|
|
0:14:03
|
so I will give it some other address on
|
|
0:14:05
|
that subnet
|
|
0:14:07
|
the same is going to be true of context
|
|
0:14:10
|
r5 r6
|
|
0:14:12
|
we show run all monitor-interface
|
|
0:14:18
|
we can see we are not monitoring inside and outside
|
|
0:14:21
|
but I do want to monitor these
|
|
0:14:25
|
and if we show run all ip
|
|
0:14:29
|
I then need an address for the secondary device so I can actually do that monitoring
|
|
0:14:34
|
because remember this is using ip packets or specifically icmp s
|
|
0:14:39
|
to make sure that the remote device is actually there
|
|
0:14:45
|
so it changed the system, now if we look at the show failover
|
|
0:14:50
|
we see that now all of the interfaces are being monitored
|
|
0:14:57
|
and the other device is standby for both of the context
|
|
0:15:03
|
So my final step here is then
|
|
0:15:06
|
to actually test whether the failover is working
|
|
0:15:09
|
when one of the asa is active for one context
|
|
0:15:14
|
and the other one is active for the other ones
|
|
0:15:16
|
So asa1 is going to be active for the
|
|
0:15:19
|
router3 router4 context
|
|
0:15:22
|
asa2, I am going to have it active for router5 router6 one
|
|
0:15:26
|
then what I should see is that if asa1's
|
|
0:15:29
|
e0/0 goes down
|
|
0:15:33
|
asa2 is going to take over
|
|
0:15:37
|
for this context
|
|
0:15:39
|
or vice versa, if asa2's
|
|
0:15:42
|
e0/1 goes down
|
|
0:15:45
|
then asa1
|
|
0:15:47
|
is going to take over for this
|
|
0:15:52
|
So did you this we need to specify on the second asa
|
|
0:15:57
|
we want to be failover active
|
|
0:15:59
|
for group number 2
|
|
0:16:04
|
now if we save our config again lets say write mem all
|
|
0:16:23
|
and if we look at the show failover
|
|
0:16:30
|
and lets ?? to this output a little bit, lets say show failover include
|
|
0:16:37
|
lets host or group
|
|
0:16:43
|
says that this is me, I am the primary device, they are the secondary device
|
|
0:16:46
|
I am active for the first group
|
|
0:16:49
|
but I am standby for the second one
|
|
0:16:52
|
they are standby for the first group
|
|
0:16:54
|
and they are active for the second one
|
|
0:16:56
|
if I look at this on the other asa, should be the exact opposite of this
|
|
0:17:00
|
where I am standby for the first one and I am active for the second one
|
|
0:17:07
|
So we can we
|
|
0:17:09
|
I am active for group number 2
|
|
0:17:13
|
they are active for group number 1
|
|
0:17:17
|
okay there is a question here
|
|
0:17:20
|
are the standby addresses in the outside interfaces in the same
|
|
0:17:25
|
vlan
|
|
0:17:30
|
if we were to look at this physically
|
|
0:17:34
|
asa1 and asa2
|
|
0:17:37
|
they both have vlan 50 on the outside
|
|
0:17:39
|
they both have 115 on the outside, they both have 116 on the inside
|
|
0:17:44
|
then the same would be true of this context
|
|
0:17:47
|
so for every logical
|
|
0:17:49
|
icon we see in the diagram
|
|
0:17:52
|
its actually two physical devices
|
|
0:17:55
|
so they are both monitoring both sub interfaces on the inside and the outside
|
|
0:18:01
|
and there is another question here - For the failover interface monitoring logic, is it in all down or all up ?
|
|
0:18:07
|
or can it be mixed ?
|
|
0:18:09
|
and thats what the failover
|
|
0:18:12
|
interface policy is going to control
|
|
0:18:15
|
So on asa1 if we say
|
|
0:18:18
|
show run all failover
|
|
0:18:21
|
we see the failover groups have these interface policies
|
|
0:18:26
|
where this says
|
|
0:18:28
|
that for the first group
|
|
0:18:30
|
if one interface goes down, I don't care which one it is, could be the inside, could be the outside or could be the failover interface itself
|
|
0:18:37
|
if that goes down then I am immediately going to give up my active status
|
|
0:18:42
|
or if I am standby and their, one of their interfaces goes down, then I am going to take over the active status
|
|
0:18:47
|
So we could change this, I could say
|
|
0:18:50
|
its a number of, not the poll time, excuse me, the interface policy
|
|
0:18:58
|
the interface policy, it if says
|
|
0:19:00
|
how many interfaces need to fail, I could say has to be both of them
|
|
0:19:04
|
or could be a percentage may be
|
|
0:19:07
|
50%
|
|
0:19:08
|
because we could have a case where
|
|
0:19:10
|
may be there are multiple inside and multiple outside at the same time
|
|
0:19:15
|
where asa
|
|
0:19:19
|
asa1 has
|
|
0:19:23
|
in 1 and in 2
|
|
0:19:27
|
and out 1 and out 2
|
|
0:19:32
|
Now may be for failover I don't care if one of the links goes down
|
|
0:19:37
|
but if two of them go down
|
|
0:19:39
|
in any combination then I am going to do the failover
|
|
0:19:41
|
and again thats what this
|
|
0:19:44
|
this interface policy is used to do
|
|
0:19:50
|
So now lets actually do the testing
|
|
0:19:53
|
again asa1
|
|
0:19:55
|
should be the active device for the first group
|
|
0:19:58
|
So we changed to context r3
|
|
0:20:05
|
it should tell us in the prompt
|
|
0:20:07
|
that this is the active device
|
|
0:20:11
|
on the other one on asa2 if we change to
|
|
0:20:18
|
change to context r5
|
|
0:20:20
|
this device is active for that particular group
|
|
0:20:28
|
So now from the inside devices, lets ping the addresses on the outside
|
|
0:20:33
|
I will give it a high repeat count
|
|
0:20:37
|
in a timeout of 1 second
|
|
0:20:41
|
so again what this is going to show me
|
|
0:20:44
|
is that for every dot that appears
|
|
0:20:46
|
thats going to be 1 second of convergence time
|
|
0:20:50
|
so if a packet is lost, I am waiting at least
|
|
0:20:53
|
or at the most 1 second for the response to come back in
|
|
0:20:56
|
So if I see dot it means that its more than 1 second in convergence time
|
|
0:20:59
|
same thing here for router6, so I am going to ping 10.0.56.5
|
|
0:21:06
|
with a
|
|
0:21:08
|
high repeat count and a time out of 1 second
|
|
0:21:14
|
Now I need to know what is the physical link that I need to shut down
|
|
0:21:17
|
If I am testing this bottom failover
|
|
0:21:22
|
I am going to shut down asa2's, ethernet0/1
|
|
0:21:26
|
and asa2's ethernet0/1, this physically goes to
|
|
0:21:32
|
switch1's port fast ethernet0/15
|
|
0:21:39
|
So its going to switch1
|
|
0:21:41
|
say show interface status
|
|
0:21:44
|
include asa
|
|
0:21:47
|
and this is going to be fast ethernet 15 again, I am going to shut this down
|
|
0:21:51
|
and as soon as I do that, I am going to go back to the command line on router 6
|
|
0:21:55
|
and I want to see how many packets I am dropping
|
|
0:21:57
|
and then ultimately it should
|
|
0:22:01
|
start continuing the forward
|
|
0:22:04
|
so 1 2 3 , so 3 seconds it took
|
|
0:22:09
|
if I now look at the first asa
|
|
0:22:12
|
and lets change to system
|
|
0:22:14
|
and show failover
|
|
0:22:16
|
asa1 should show its state as what now
|
|
0:22:31
|
it should be active for both of the groups
|
|
0:22:36
|
So now its saying that the other device asa2, it failed
|
|
0:22:39
|
for its second group
|
|
0:22:44
|
it failed for its second group, So I had to take over the active status for that
|
|
0:22:50
|
now when we look at router4, this device should not have been impacted at all
|
|
0:22:56
|
we could see there is no packet loss, there is no dots here, there is only exclamations
|
|
0:23:00
|
because its device was
|
|
0:23:02
|
continuing to be active the entire time
|
|
0:23:07
|
Now if I bring the interface back, lets say no shut down
|
|
0:23:12
|
and also another thing, that you may want to take into account here
|
|
0:23:15
|
is on this interface
|
|
0:23:18
|
notice the configuration I haven't set as trunk
|
|
0:23:22
|
but also I am telling it, it wants to run code fast on the trunk
|
|
0:23:30
|
because this particular interface, even though its running multiple VLANs
|
|
0:23:34
|
its not an interface that is running spanning tree
|
|
0:23:37
|
so when the link goes up or down, I do not want it to be subject to the forwarding delay
|
|
0:23:43
|
which is the listening and the learning phases of spanning tree
|
|
0:23:48
|
So if I do not have this command, its going to take more that 30 seconds
|
|
0:23:52
|
for the failover to re-converge
|
|
0:23:56
|
so remember this is more than just a firewall, that you are to take into account, when you are looking at the overall high available-ability design
|
|
0:24:05
|
so now if we look at the failover again
|
|
0:24:07
|
this here, what it says, it says failed
|
|
0:24:10
|
this now should say standby ready
|
|
0:24:13
|
which it does
|
|
0:24:16
|
So lets try this again, no asa2, lets change to context
|
|
0:24:20
|
or change to system
|
|
0:24:23
|
we will say failover active group 2
|
|
0:24:29
|
so its going to give me my active state back for group number 2
|
|
0:24:36
|
asa1 should now be active standby, standby active
|
|
0:24:43
|
now we are going to test this on the other link
|
|
0:24:45
|
so the other link in this case is asa1's
|
|
0:24:49
|
ethernet0/0
|
|
0:24:52
|
where this link here, physically connects to
|
|
0:24:55
|
switch2's port
|
|
0:24:58
|
fastethernet0/12
|
|
0:25:01
|
So when I shut this down, ideally I should see asa2
|
|
0:25:05
|
takeover for that context
|
|
0:25:13
|
and we are going to be looking at router4, if any, its going to drop
|
|
0:25:19
|
so lets go to switch2, on switch2 lets look at the show
|
|
0:25:23
|
show interface status include asa
|
|
0:25:28
|
and based on my descriptions, we could see this is port 12
|
|
0:25:34
|
So fast ethernet 12 is shut down
|
|
0:25:37
|
and I am going to end of this and immediately jump back to router4
|
|
0:25:41
|
because see it takes about 2 seconds to converge
|
|
0:25:47
|
if we look at asa1, it should now say it failed for its first group
|
|
0:25:54
|
and asa2 is now going to be active active
|
|
0:25:59
|
because this other group is failed
|
|
0:26:04
|
So this final result were we actually testing the failover to see if it works
|
|
0:26:10
|
this would be our ultimate final verification, So if you
|
|
0:26:14
|
unplug the link and it doesn't actually work, or you shut down the link and doesn't actually work
|
|
0:26:18
|
then you know that there is something additional in your configuration that you need to take into account
|
|
0:26:23
|
so don't rely necessarily just on the show commands when you look at the show failover
|
|
0:26:28
|
you do actually want to test that this works
|
|
0:26:32
|
before you can consider that your design is correct
|
|
0:26:38
|
So now lets look at our final configuration
|
|
0:26:40
|
from the system context mode if we say
|
|
0:26:43
|
show run
|
|
0:26:45
|
show run failover
|
|
0:26:52
|
then if we look at the individual
|
|
0:26:55
|
user contexts
|
|
0:27:01
|
lets say more
|
|
0:27:05
|
disk0:/r3-r4.config
|
|
0:27:10
|
and include monitor or
|
|
0:27:15
|
ip
|
|
0:27:22
|
and then same is going to be true of the
|
|
0:27:25
|
r5 r6
|
|
0:27:35
|
so again overall there is not too many commands you need to do in order to implement this
|
|
0:27:39
|
its more of figure out what is the correct design that you need to work on
|
|
0:27:43
|
and also to visualize whats the difference in the physical topology versus the logical topology
|
|
0:27:50
|
so this is definitely one of those things that you would want to draw out
|
|
0:27:54
|
and look at how are the devices are physically wired
|
|
0:27:57
|
and then what is the resulting logical topology we are trying to build on top of it
|
|
0:28:01
|
because this diagram there this shows the logical topology
|
|
0:28:05
|
but doesn't really tell me, what is ethernet0/2 physically plugged in to, or whats this outside interface is actually physically connected to
|
|
0:28:12
|
and this is what we also need to take into account
|
|
0:28:16
|
whats going on in the layer2 switches
|
|
0:28:19
|
and then with their links, is this going to potentially impact the additional convergence time.
|
