FWSM FAILOVER测试配置模版.docx
《FWSM FAILOVER测试配置模版.docx》由会员分享,可在线阅读,更多相关《FWSM FAILOVER测试配置模版.docx(13页珍藏版)》请在冰豆网上搜索。
FWSMFAILOVER测试配置模版
--FWSM结构:
该模块内部体系主要由一个双Intel奔腾3处理器和3个IBM的NP,以及相应的ASIC芯片组成。
其中NP1和NP2各有3条GE连接到C6K/C7600的交换矩阵或背板总线上,并自动创建一个6G的802.1Q的trunkingEtherchannel。
--C6k+FWSM:
FWSM对于C6K来说,实际上相当于一个外部的高性能PIX防火墙,通过6个GE连接到C6K上。
可以在C6K上配置基于session的6个GE间流量负载均衡。
要求的6500配置为SUP2/MSFC2,NativeIOS12.1(13)E以上版本。
实现64byte情况下3Mpps的最大吞吐,1518byte情况下5G最大带宽,100个VLAN接口,128KACL设置,LANFailover等等。
交换机VLAN2-4、300-301、600做FIREWALL的虚拟接口
VLAN接口
安全级别或用途
2
80
3
50
4
50
300
FAILOVER接口
301
STATEFULFAILOVER接口
600
0
showrun
Buildingconfiguration...
Currentconfiguration:
12437bytes
version12.2
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnamebb6506-1
!
bootsystemflashsup-bootflash:
loggingsnmp-authfail
enablesecret5$1$//Gz$SjNb0DKiUKWHUSruk1FZs.
!
clocktimezonePDT-7
firewallmodule2vlan-group10设置防火墙的VLAN
firewallvlan-group102-4,300,301,600
ipsubnet-zero
noipdomain-lookup
mplsldploggingneighbor-changes
nomlsflowip
nomlsflowipv6
mlsceferroractionfreeze
!
spanning-treemodepvst
nospanning-treeoptimizebpdutransmission
diagnosticcnspublishs.device.diag_results
diagnosticcnssubscribes.device.diag_commands
!
redundancy
modesso
main-cpu
auto-syncrunning-config
auto-syncstandard
!
vlaninternalallocationpolicyascending
vlanaccess-logratelimit2000
!
interfacePort-channel1设置PORT-CHANNEL作为FIREWALL-FAILOVER连接(最好用4-6个GE接口做捆绑)
noipaddress
switchport
switchporttrunkencapsulationdot1q
switchportmodetrunk
!
interfaceGigabitEthernet6/1
noipaddress
switchport
switchportaccessvlan2
switchportmodeaccess
!
interfaceGigabitEthernet6/2
noipaddress
switchport
switchportaccessvlan2
switchportmodeaccess
!
interfaceGigabitEthernet6/3试验时只作了2个接口做捆绑
noipaddress
switchport
switchportmodetrunk
channel-group1modeon
interfaceGigabitEthernet6/4
noipaddress
switchport
switchportmodetrunk
channel-group1modeon
!
interfaceVlan600连接防火墙OUTSIDE接口
ipaddress10.130.1.2255.255.255.240
standby255ip10.130.1.1
standby255priority110
standby255preempt
routerrip
version2
redistributestatic
network10.0.0.0
!
ipclassless
iproute10.130.2.0255.255.255.010.130.1.4配置到防火墙的静态路由
iproute10.130.3.0255.255.255.010.130.1.4
iproute10.130.4.0255.255.255.010.130.1.4
noiphttpserver
snmp-servercommunityshanghaiRO
snmp-servercommunitytopsecretRW
!
dial-peercorcustom
!
linecon0
linevty04
passwordcisco
login
!
end
bb6506-1#showfirewallvlan-group
Groupvlans
-----------
102-4,300-301,600
bb6506-1#showfirewallmodule2traffic
Firewallmodule2:
Specifiedinterfaceisup(connected)lineprotocolisup
HardwareisEtherChannel,addressis0001.c9df.7b7d(bia0001.c9df.7b7d)
MTU1500bytes,BW6000000Kbit,DLY10usec,
reliability255/255,txload1/255,rxload1/255
EncapsulationARPA,loopbacknotset
Full-duplex,1000Mb/s
inputflow-controlisoff,outputflow-controlisunsupported
Membersinthischannel:
Gi2/1Gi2/2Gi2/3Gi2/4Gi2/5Gi2/6
Lastinputnever,outputnever,outputhangnever
Lastclearingof"showinterface"countersnever
Inputqueue:
0/2000/0/0(size/max/drops/flushes);Totaloutputdrops:
0
Queueingstrategy:
fifo
Outputqueue:
0/40(size/max)
5minuteinputrate1000bits/sec,1packets/sec
5minuteoutputrate3000bits/sec,5packets/sec
3842packetsinput,308227bytes,0nobuffer
Received84broadcasts,0runts,0giants,0throttles
0inputerrors,0CRC,0frame,0overrun,0ignored
0inputpacketswithdribbleconditiondetected
13174packetsoutput,1220828bytes,0underruns
0outputerrors,0collisions,6interfaceresets
0babbles,0latecollision,0deferred
0lostcarrier,0nocarrier
0outputbufferfailures,0outputbuffersswappedout
bb6506-1#showfirewallmodule2state
Firewallmodule2:
Switchport:
Enabled
AdministrativeMode:
trunk
OperationalMode:
trunk
AdministrativeTrunkingEncapsulation:
dot1q
OperationalTrunkingEncapsulation:
dot1q
NegotiationofTrunking:
Off
AccessModeVLAN:
1(default)
TrunkingNativeModeVLAN:
1(default)
TrunkingVLANsEnabled:
2-4,300,301,600
PruningVLANsEnabled:
2-1001
Vlansallowedontrunk:
2-4,300-301,600
Vlansallowedandactiveinmanagementdomain:
2-4,300-301,600
Vlansinspanningtreeforwardingstateandnotpruned:
2-4,300-301,600
FWSM#showrun
FWSMVersion2.3
(1)
nameifvlan2vlan2intersecurity80设置试验的VLAN接口(防火墙接口,和交换机
nameifvlan3vlan3intersecurity50对应的VLAN)
nameifvlan4vlan4intersecurity50
nameifvlan600outsidesecurity0
enablepassword2KFQnbNIdI.2KYOUencrypted
passwd2KFQnbNIdI.2KYOUencrypted
hostnameFWSM
ftpmodepassive
fixupprotocoldnsmaximum-length512
fixupprotocolftp21
fixupprotocolh323H2251720
fixupprotocolh323ras1718-1719
fixupprotocolrsh514
fixupprotocolsip5060
nofixupprotocolsipudp5060
fixupprotocolskinny2000
fixupprotocolsmtp25
fixupprotocolsqlnet1521
same-security-trafficpermitinter-interface允许同安全级别的VLAN接口之间通讯
access-listdeny-flow-max4096
access-listalert-interval300
access-listvlan2interextendedpermitipanyany设置ACL
access-listvlan3interextendedpermitipanyany
access-listvlan4interextendedpermitipanyany
access-listoutinextendedpermitipanyany
access-listoutsideextendedpermiticmpanyany
access-listoutsideextendedpermitipanyany
pagerlines24
loggingbuffer-size4096
mtuvlan2inter1500
mtuvlan3inter1500
mtuvlan4inter1500
mtuoutside1500
ipaddressvlan2inter10.130.2.1255.255.255.0standby10.130.2.2设置IP地址和ipaddressvlan3inter10.130.3.1255.255.255.0standby10.130.3.2FAILOVER地址
ipaddressvlan4inter10.130.4.1255.255.255.0standby10.130.4.2
ipaddressoutside10.130.1.4255.255.255.0standby10.130.1.5
failover下面是FAILOVER参数,301VLAN是STATEFUL连接
failoverlanunitprimary
failoverlaninterfacefaillinkvlan300
failoverpolltimeunit1holdtime15
failoverpolltimeinterface15
failoverinterface-policy50%
failoverreplicationhttp
failoverlinkstatevlan301
failoverinterfaceipfaillink192.168.253.1255.255.255.252standby192.168.253.2
failoverinterfaceipstate192.168.253.5255.255.255.252standby192.168.253.6
monitor-interfacevlan2inter
monitor-interfacevlan3inter
monitor-interfacevlan4inter
icmppermitanyvlan2inter
icmppermitanyvlan3inter
icmppermitanyvlan4inter
icmppermitanyoutside
nopdmhistoryenable
arptimeout14400
nat(vlan2inter)00.0.0.00.0.0.0设置不做NAT转换
nat(vlan3inter)00.0.0.00.0.0.0
nat(vlan4inter)00.0.0.00.0.0.0
static(vlan2inter,vlan3inter)10.130.2.010.130.2.0netmask255.255.255.0设置安全低到高的地址映射
static(vlan2inter,vlan4inter)10.130.2.010.130.2.0netmask255.255.255.0
static(vlan2inter,outside)10.130.2.010.130.2.0netmask255.255.255.0
static(vlan3inter,outside)10.130.3.010.130.3.0netmask255.255.255.0
static(vlan4inter,outside)10.130.4.010.130.4.0netmask255.255.255.0
应用策略到各个接口,注意高安全级别到低安全级别的VLAN接口也要做ACL,默认的情况是不做ACL,任何接口之间都是不通的。
(和PIX不同)
access-groupvlan2interininterfacevlan2inter
access-groupvlan3interininterfacevlan3inter
access-groupvlan4interininterfacevlan4inter
access-groupoutsideininterfaceoutside
!
routeoutside0.0.0.00.0.0.010.130.1.11
timeoutxlate3:
00:
00
timeoutconn1:
00:
00half-closed0:
10:
00udp0:
02:
00icmp0:
00:
02rpc0:
10:
00h3230:
05:
00h2251:
00:
00mgcp0:
05:
00sip0:
30:
00sip_media0:
02:
00
timeoutuauth0:
05:
00absolute
aaa-serverTACACS+protocoltacacs+
aaa-serverTACACS+max-failed-attempts3
aaa-serverTACACS+deadtime10
aaa-serverRADIUSprotocolradius
aaa-serverRADIUSmax-failed-attempts3
aaa-serverRADIUSdeadtime10
aaa-serverLOCALprotocollocal
nosnmp-serverlocation
nosnmp-servercontact
snmp-servercommunitypublic
snmp-serverenabletrapssnmp
floodguardenable
fragmentsize200vlan2inter
fragmentchain24vlan2inter
fragmentsize200vlan3inter
fragmentchain24vlan3inter
fragmentsize200vlan4inter
fragmentchain24vlan4inter
fragmentsize200outside
fragmentchain24outside
sysoptnodnsaliasinbound
sysoptnodnsaliasoutbound
telnettimeout5
sshtimeout5
terminalwidth80
nogdbenable
Cryptochecksum:
476b6572fa758276de30eb06be518dd9
end
FWSM#showfailover
FailoverOn
FailoverunitPrimary
FailoverLANInterfacefaillinkVlan300
UnitPollfrequency1seconds,holdtime15seconds
InterfacePollfrequency15seconds
InterfacePolicy50%
MonitoredInterfaces3of250maximum
failoverreplicationhttp
Configsync:
active
LastFailoverat:
07:
06:
08Dec042004
Thishost:
Primary-Active
Activetime:
1846(sec)
Interfacevlan2inter(10.130.2.1):
Normal
Interfacevlan3inter(10.130.3.1):
Normal
Interfacevlan4inter(10.130.4.1):
Normal
Interfaceoutside(10.130.1.4):
Normal(Not-Monitored)
Otherhost:
Secondary-Standby
Activetime:
4123(sec)
Interfacevlan2inter(10.130.2.2):
Normal
Interfacevlan3inter(10.130.3.2):
Normal
Interfacevlan4inter(10.130.4.2):
Normal
Interfaceoutside(10.130.1.5):
Normal(Not-Monitored)
StatefulFailoverLogicalUpdateStatistics
Link:
stateVlan301
StatefulObjxmitxerrrcvrerr
General32703090
syscmd30903080
uptime0000
RPCservices0000
xlate0000
TCPconn0000
UDPconn0000
ARPtbl18010
RIPTbl0000
L2BRIDGETbl0000
Xlate_Timeout0000
TCPNPs0001
UDPNPs80161
LogicalUpdateQueueInformation
CurMaxTotal
RecvQ:
01309
XmitQ:
01327
FWSM#showvlan
2-4,300-301,600
FWSM#showaccess-list
access-listmodeauto-commit
access-listcachedACLlogflows:
total0,denied0(deny-flo
升级会员 