Keeping systems running is an important part of any network design. In this video, you’ll learn about active-active configurations and active-passive configurations.
Maintaining uptime and availability on the network can be a challenge. And in this video, we’ll look at different methods for providing that network redundancy. One of the most common forms of network redundancy is active-passive. This is where you would have two separate pieces of equipment but only one of them is active or running at any particular time. These two devices are constantly communicating between each other, giving updates on their status. And if the primary device fails, the secondary device takes over as the primary device on the network.
This means the configuration between these two devices needs to be identical. And if you make a change to the configuration on the primary device, it needs to copy that configuration to the secondary device. You also need to make sure that any real-time information is updated between both devices. So if there is a session table or a routing table, all of that information also needs to be copied and maintained on the secondary device. That way, if the secondary device does become active, it has exactly the same configuration as the primary device did.
Visually, this is how it would look on a network map. You have an internet provider, let’s say, our network connection out to the rest of the world. There are two firewalls in this configuration. And behind the firewall is a router, a switch, and a web server. In this case, these two firewalls are running as an active-passive configuration. One of the firewalls is active, and the other firewall is in a standby or passive mode.
When traffic is sent through the network, that traffic passes through the active firewall to the web server that’s on the other side. But let’s say that primary firewall had a problem. Perhaps the power supply failed, maybe the software crashed, but something within that device has caused it to go offline.
This means that we now have no available firewalls on our network. But of course, our passive firewall has been in constant communication with that active firewall and recognizes that it’s no longer on the network. So the passive firewall now makes itself into an active firewall, and it becomes the primary device on the network. So now any future communication on the network uses this new firewall to be able to complete that communications path.
You might be looking at that network design and think, you’ve purchased two firewalls. Both of them are plugged in and they’re powered on at the same time. Why don’t we use both of those firewalls simultaneously and take advantage of all of that extra computing power?
Having both of those devices operating simultaneously is referred to as an active-active configuration. However, simply turning on both devices and running traffic through both of them is not always a simple task. There’s usually a bit more engineering required to make sure that you could turn on both of the devices and use both of them simultaneously.
For example, you might have data flowing through the network in different directions. Maybe one part of the conversation goes through one device and the return part of the conversation goes through a different device. You need to have some type of mechanism that keeps track of all of these different data flows and what device they’re flowing through. This often requires a good bit of design work and understanding of exactly where the traffic flows are in the network, how the routing is configured, where the switches are located, and how you would expect traffic to flow on a normal basis.
And as you would expect with an active-active configuration, where both firewalls are operating simultaneously, you can send traffic through the network, and one traffic flow may go through one of the existing active firewalls and a secondary traffic flow may go through the alternate or secondary active firewall. If one of the firewalls was to fail, you don’t have to worry about failing over to a secondary because both firewalls are already active. The other firewall that’s remaining will continue to handle the load, and traffic will continue to flow normally through that network.