思科防火墙(ASA 5525-X)双机热备配置
注:本次实验设备型号为 ASA 5525-X;
系统版本: Cisco Adaptive Security Appliance Software Version 9.14(2)13
SSP Operating System Version 2.8(1.144)
Device Manager Version 7.15(1)150
一、为什么要做双机热备
1.提升网络的可靠性,避免单点故障;
2.对于防火墙而已,还启到备份会话表等一些状态信息;
3.负载均衡
二、双机热备形式
原理:防火墙的双机热备功能提供一条专门的备份通道,用于两台防火墙之间协商主备状态,以及会话等状态信息的备份;
双机热备主要包括:
A.主备备份:
指正常情况下只由“主设备”处理业务,“备设备”处于空闲状态;当“主设备”接口、链路、整机故障时,“备设备”切换为“主设备”,接替“主设备”处理业务。
B.负载均衡:
负载均衡也可以称为“互为主备”,即两台设备同时处理业务;当其中一台设备发生故障时,另外一台设备会立即承担其业务,保证原来需要通过这台设备转发的业务不中断。
三、配置
主设备配置如下:
ciscoasa(config)#failover
ciscoasa(config)#failover lan unit primary //确认主备设备,primary-主 secondary-备
ciscoasa(config)#failover lan interface Active GigabitEthernet0/1 //确认心跳接口,名字和接口不能敲错
ciscoasa(config)#failover link statelink GigabitEthernet0/3 //确认链路状态接口,名字和接口不能敲错
ciscoasa(config)#failover interface ip Active 1.1.1.1 255.255.255.252 standby 1.1.1.2 //确认心跳地址
ciscoasa(config)#failover interface ip statelink 2.2.2.1 255.255.255.252 standby 2.2.2.2 //确认链路状态地址
ciscoasa(config)# interface gigabitEthernet 0/1
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface gigabitEthernet 0/3
ciscoasa(config-if)# no shutdown
备设备配置如下:
ciscoasa(config)#failover
ciscoasa(config)#failover lan unit secondary
ciscoasa(config)#failover lan interface Active GigabitEthernet0/1
ciscoasa(config)#failover link statelink GigabitEthernet0/3
ciscoasa(config)#failover interface ip Active 1.1.1.1 255.255.255.252 standby 1.1.1.2
ciscoasa(config)#failover interface ip statelink 2.2.2.1 255.255.255.252 standby 2.2.2.2
ciscoasa(config)# interface gigabitEthernet 0/1
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface gigabitEthernet 0/3
ciscoasa(config-if)# no shutdown
四、验证
ciscoasa(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: Active GigabitEthernet0/1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 466 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.14(2)13, Mate 9.14(2)13
Serial Number: Ours XXXXXXXXXXX, Mate XXXXXXXXXX
Last Failover at: 20:14:31 UTC Mar 27 2021
This host: Primary - Active
Active time: 2606 (sec)
slot 0: ASA5525 hw/sw rev (3.0/9.14(2)13) status (Up Sys)
Interface inside (10.1.1.1): No Link (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
Other host: Secondary - Standby Ready
Active time: 19 (sec)
slot 0: ASA5525 hw/sw rev (3.1/9.14(2)13) status (Up Sys)
Interface inside (0.0.0.0): No Link (Waiting)
Interface management (0.0.0.0): No Link (Waiting)
Stateful Failover Logical Update Statistics
Link : statelink GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 321 0 319 1
sys cmd 319 0 319 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 2 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Umbrella Device-ID 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 25 2748
Xmit Q: 0 30 1766
真机状态图
当模拟主设备故障(上面设备断电),备设备(下面这台设备)自动将FAILOVER状态切换为主设备,原主设备(上面设备)再次上线,就作为备机运行,如果需要强制切换可以使用该命令:
ciscoasa(config)# failover active
Switching to Active
ciscoasa(config)#
4330
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
