原文地址:Active/Standby Failover实验" href="http://blog.sina.com.cn/s/blog_4972b2ff0100g4l8.html" target=_blank>ASA Active/Standby Failover实验作者:卓一航
配置前要注意的:在防火墙版本7.x以后引入了Multi Context的概念,可以让不同的Context互为主备,并且增强了Failover的新特性,支持一种称为Active/Active的模式。这些功能增加了防火墙的使用效率和性能(主备模式实际工作的只有1台设备),此模式目前只被PIX和ASA平台所支持。
拓扑:
配置:
SW1
--------------------
!
hostname SW1
!
interface FastEthernet0/2
description ASA1-e0/0
switchport access vlan 2
!
interface FastEthernet0/0
description R1-f0/0
switchport access vlan 2
!
interface FastEthernet0/3
description ASA2-e0/0
switchport access vlan 2
!
interface FastEthernet0/4
description ASA1-e0/1
switchport access vlan 3
!
interface FastEthernet0/1
description R2-f0/0
switchport access vlan 3
!
interface FastEthernet0/5
description ASA2-e0/1
switchport access vlan 3
!
-------------------------------------------
R1
-------------------------------
!
hostname R1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
-----------------------------------------
R2
-----------------------------
!
hostname R1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
----------------------------
ASA1
-----------------------------------
!
hostname ASA1
!
//防火墙失效监测包含所有接口(inside、outside),这些接口需要设置主备IP地址,供主备防火墙用于存活检测(机制为每隔5秒钟发送检测报文),否之可能接口失效,也无法触发切换:
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.3
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.3
!
access-list 110 extended permit icmp any any log
access-group 110 in interface outside //放行流量通过,这是基本配置了
!
route outside 0.0.0.0 0.0.0.0 172.16.1.2
route inside 1.1.1.1 255.255.255.255 192.168.1.2
!
failover
failover lan unit primary //设置ASA1为主设备,并且用的是网线互联
failover lan interface AA e0/2 //设置failover的接口
failover interface ip AA 10.0.0.1 255.255.255.0 standby 10.0.0.2 //设置failover主备地址
!
interface Ethernet0/2
description LAN Failover Interface //要no shut接口才生效,这个就不多解析了
no shut
!
//如果要减少失效切换期间的报文丢失,以及避免重建会话,必需用1条单独的链路专门
负责同步状态数据库,添加以下配置使接口e0/3专门用于同步状态(记得先配置接口no
shutdown)
!
failover link state e0/3
failover interface ip state 11.0.0.1 255.255.255.0 standby 11.0.0.2
!
---------------------------------
ASA2
---------------------------------------
!
failover
failover lan unit secondary //设置ASA2为备份设备
failover lan interface AA e0/2 //设置failover的接口
failover interface ip AA 10.0.0.1 255.255.255.0 standby 10.0.0.2 //设置failover主备地址
!
interface Ethernet0/2
description LAN Failover Interface
no shut
!
-----------------------------------
配置成功之后在ASA1上会提示以下信息:
No Response from Mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
//表示ASA已经进入准备切换状态
ASA2则会显示以下信息:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
//表示ASA2进入待机状态
这个时候ASA1的全部配置自动会同步给ASA2,而且以后ASA1所做的任何修改,也会即时同步给备份防火墙。通过以下命令可以查看failover状况:
---------------------------------------------
ASA1# show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: AA Ethernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 03:43:08 UTC Apr 6 2008
This host: Primary - Active
Active time: 60 (sec)
Interface inside (192.168.1.1): Normal (Waiting)
Interface outside (172.16.1.1): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (0.0.0.0): Normal (Waiting)
Interface outside (0.0.0.0): Normal (Waiting)
//也可以从ASA1上查看ASA2的情况
ASA1# failover exec standby show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Secondary
Failover LAN Interface: AA Ethernet0/2 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 03:27:05 UTC Apr 6 2008
This host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (0.0.0.0): Normal (Waiting)
Interface outside (0.0.0.0): Normal (Waiting)
Other host: Primary - Active
Active time: 105 (sec)
Interface inside (192.168.1.1): Normal (Waiting)
Interface outside (172.16.1.1): Normal (Waiting)
//部署了Failover之后,2台防火墙实际起作用的主设备,如果在备份防火墙做设置,
会有以下报错(以下是ASA2,因为同步了配置,主机名显示的是ASA1):
ASA1# conf t
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
-------------------------------------------
测试:
-------------------------------------
R2#ping 1.1.1.1 repeat 10000
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!...................!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//中间丢包的部分就是因为我在SW1上shutdown F0/2的端口,导致ASA1断线,然后ASA2自动切换到Active状态,流量也转到ASA2上。
转载于:https://blog.51cto.com/867645/1212545
481
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
