资源描述
防火墙 Failover
一、failover相关概念:
1、failover线:又叫心跳线,是一条故障切换线,参与failover 的防火墙通过这条线决定本身的状态。Failover 线有2种:专用的cable线和LAN线
2、statful failover线:即状态线,时刻传递状态信息由主到 次,该线的带宽必须大于等于用户接 口的带宽,状态有3种:专用以太口 或共享LAN-base的failover线或共 享用户接口(不建议)
3、failover 组网拓扑:有2种:基于专用cable和基于LAN
二、试验拓扑:
三、试验配置:
FW5(config)# activation-key 0x5236f5a7 0x97def6da 0x732a91f5 0xf5deef57(添加UR许可,有UR许可才支持Failover)
1、基于Lan base的A/S模式
FW5(活动设备)
FW5(config)# failover link bluefox e3(指定Failover状态接口)
FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6(配置状态接口的IP)
FW5(config)# interface e3(打开接口)
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# failover lan enable (启用lan base)
FW5(config)# failover lan unit primary (指定该设备为主设备)
FW5(config)# failover lan interface bluefox e3(指定Failover线(可与状态线共用))
FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6(共用时可不配)
FW5(config)# failover
FW5(config)# interface e0
FW5(config-if)# nameif outside
FW5(config-if)# ip add 192.168.7.5 255.255.255.0 standby 192.168.7.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# interface e1
FW5(config-if)# nameif inside
FW5(config-if)# ip add 192.168.5.5 255.255.255.0 standby 192.168.5.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# interface e2
FW5(config-if)# nameif dmz
FW5(config-if)# security-level 50
FW5(config-if)# ip add 192.168.8.5 255.255.255.0 standby 192.168.8.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW6(备份设备)
FW6(config)# interface e3
FW6(config-if)# no sh
FW6(config-if)# exit
(打开状态线)
FW6(config)# failover lan enable (启用lan base)
FW6(config)# failover lan unit secondary (指定该设备为辅助设备)
FW6(config)# failover lan interface bluefox e3(指定Failover线)
FW6(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6
FW6(config)# failover(启用Failover)
测试与分析:
FW5
FW6
FW5
由以上各图知FW5为主、FW6为备份设备.
在FW6上手动抢占
FW6已成为主设备。
FW6切换为辅助设备
以下为各个设备的详细配置:
FW5
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.7.5 255.255.255.0 standby 192.168.7.6
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.5.5 255.255.255.0 standby 192.168.5.6
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.8.5 255.255.255.0 standby 192.168.8.6
interface Ethernet3
description LAN/STATE Failover Interface
access-list 100 extended permit ip any any
failover
failover lan unit primary
failover lan interface bluefox Ethernet3
failover lan enable
failover link bluefox Ethernet3
failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6
access-group 100 in interface outside
access-group 100 in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.7.7 1
route inside 192.168.10.0 255.255.255.0 192.168.5.100 1
route inside 192.168.20.0 255.255.255.0 192.168.5.100 1
route dmz 192.168.30.0 255.255.255.0 192.168.8.4 1
route dmz 192.168.40.0 255.255.255.0 192.168.8.4 1
SW1
spanning-tree vlan 1 priority 0
spanning-tree vlan 10 priority 0
spanning-tree vlan 20 priority 0
interface Port-channel1
switchport mode trunk
interface FastEthernet1/1
switchport access vlan 5
interface FastEthernet1/2
switchport access vlan 6
interface FastEthernet1/3
switchport mode trunk
channel-group 1 mode on
interface FastEthernet1/4
switchport mode trunk
channel-group 1 mode on
interface FastEthernet1/5
switchport trunk allowed vlan 1-4,7-1005
switchport mode trunk
interface Vlan5
ip address 192.168.5.1 255.255.255.0
standby 5 ip 192.168.5.100
standby 5 priority 120
standby 5 preempt
standby 5 track FastEthernet1/5 50
interface Vlan6
ip address 192.168.6.1 255.255.255.0
interface Vlan10
ip address 192.168.10.1 255.255.255.0
standby 10 ip 192.168.10.100
standby 10 priority 120
standby 10 preempt
standby 10 track FastEthernet1/1 50
interface Vlan20
ip address 192.168.20.1 255.255.255.0
standby 20 ip 192.168.20.100
standby 20 priority 120
standby 20 preempt
standby 20 track FastEthernet1/1 50
ip route 0.0.0.0 0.0.0.0 192.168.5.5
SW2
spanning-tree vlan 1 priority 4096
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 4096
interface Port-channel1
switchport mode trunk
interface FastEthernet1/1
switchport access vlan 5
interface FastEthernet1/2
switchport access vlan 6
interface FastEthernet1/3
switchport mode trunk
channel-group 1 mode on
interface FastEthernet1/4
switchport mode trunk
channel-group 1 mode on
interface FastEthernet1/5
switchport trunk allowed vlan 1-4,7-1005
switchport mode trunk
interface Vlan5
ip address 192.168.5.2 255.255.255.0
standby 5 ip 192.168.5.100
standby 5 preempt
interface Vlan6
ip address 192.168.6.2 255.255.255.0
interface Vlan10
ip address 192.168.10.2 255.255.255.0
standby 10 ip 192.168.10.100
standby 10 preempt
interface Vlan20
ip address 192.168.20.2 255.255.255.0
standby 20 ip 192.168.20.100
standby 20 preempt
ip route 0.0.0.0 0.0.0.0 192.168.5.5
SW3
interface FastEthernet1/1
switchport mode trunk
interface FastEthernet1/2
switchport mode trunk
interface FastEthernet1/3
switchport access vlan 10
interface FastEthernet1/4
switchport access vlan 20
SW4
interface FastEthernet1/1
switchport access vlan 7
interface FastEthernet1/2
switchport access vlan 7
interface FastEthernet1/3
switchport access vlan 30
interface FastEthernet1/4
switchport access vlan 40
interface Vlan7
ip address 192.168.8.4 255.255.255.0
interface Vlan30
ip address 192.168.30.1 255.255.255.0
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.7.5
ip route 0.0.0.0 0.0.0.0 192.168.8.5
R7
interface Loopback0
ip address 202.103.96.112 255.255.255.0
interface Ethernet0/0
ip address 192.168.7.7 255.255.255.0
ip route 192.168.0.0 255.255.0.0 192.168.7.5
2、基于Lan base的A/A模式
FW5(活动设备)
FW5(config)# failover link bluefox e3(指定Failover状态接口)
FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6(配置状态接口的IP)
FW5(config)# interface e3(打开接口)
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# failover lan enable (启用lan base)
FW5(config)# failover lan unit primary (指定该设备为主设备)
FW5(config)# failover lan interface bluefox e3(指定Failover线(可与状态线共用))
FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6(共用时可不配)
以下是A/A 区别与A/S 的配置:
FW5(config)# failover group 1(创建Failover 组)
FW5(config-fover-group)#primary(指定Failover组的类型)
FW5(config-fover-group)#preempt(启用抢占)
FW5(config-fover-group)#exit
FW5(config)# failover group 2
FW5(config-fover-group)#secondary
FW5(config-fover-group)#preempt
FW5(config-fover-group)#exit
FW5(config)# context bluefox(创建安全环境)
FW5(config-context)#join-failover 1/2(将安全环境加入组,在辅助设备一方与主方角色相反)
FW5(config-context)#exit
FW5(config)# failover
FW5(config)# interface e0
FW5(config-if)# nameif outside
FW5(config-if)# ip add 192.168.7.5 255.255.255.0 standby 192.168.7.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# interface e1
FW5(config-if)# nameif inside
FW5(config-if)# ip add 192.168.5.5 255.255.255.0 standby 192.168.5.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# interface e2
FW5(config-if)# nameif dmz
FW5(config-if)# security-level 50
FW5(config-if)# ip add 192.168.8.5 255.255.255.0 standby 192.168.8.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW6(备份设备)
FW6(config)# interface e3
FW6(config-if)# no sh
FW6(config-if)# exit
(打开状态线)
FW6(config)# failover lan enable (启用lan base)
FW6(config)# failover lan unit secondary (指定该设备为辅助设备)
FW6(config)# failover lan interface bluefox e3(指定Failover线)
FW6(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6
FW6(config)# failover(启用Failover)
3、基于cable-based的A/S模式(只有A/S模式,主备有线缆决定)
FW5(config)# failover link bluefox e3(指定Failover状态接口)
FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6(配置状态接口的IP)
FW5(config)# interface e3(打开接口)
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# Failover(启动Failover)
可选配置:
FW5(config)#failover replication http(启用http状态复制)
FW5(config)#monitor-interface xx(指定监控接口)
FW5(config)#failover-polltime interface xx time xx(指定接口监控间隔时间)
FW5(config)#failover polltime xx time (指定Hello间隔时间)
FW5(config)# interface e0
FW5(config-if)# nameif outside
FW5(config-if)# ip add 192.168.7.5 255.255.255.0 standby 192.168.7.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# interface e1
FW5(config-if)# nameif inside
FW5(config-if)# ip add 192.168.5.5 255.255.255.0 standby 192.168.5.6
FW5(config-if)# no sh
FW5(config-if)# exit
FW5(config)# interface e2
FW5(config-if)# nameif dmz
FW5(config-if)# security-level 50
FW5(config-if)# ip add 192.168.8.5 255.255.255.0 standby 192.168.8.6
FW5(config-if)# no sh
FW5(config-if)# exit
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
