防火墙 Failover.docx
《防火墙 Failover.docx》由会员分享,可在线阅读,更多相关《防火墙 Failover.docx(11页珍藏版)》请在冰豆网上搜索。
防火墙Failover
防火墙Failover
一、failover相关概念:
1、failover线:
又叫心跳线,是一条故障切换线,参与failover的防火墙通过这条线决定本身的状态。
Failover线有2种:
专用的cable线和LAN线
2、statfulfailover线:
即状态线,时刻传递状态信息由主到次,该线的带宽必须大于等于用户接口的带宽,状态有3种:
专用以太口或共享LAN-base的failover线或共享用户接口(不建议)
3、failover组网拓扑:
有2种:
基于专用cable和基于LAN
二、试验拓扑:
三、试验配置:
FW5(config#activation-key0x5236f5a70x97def6da0x732a91f50xf5deef57(添加UR许可,有UR许可才支持Failover)
1、基于Lanbase的A/S模式
FW5(活动设备)
FW5(config#failoverlinkbluefoxe3(指定Failover状态接口)
FW5(config#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6(配置状态接口的IP)
FW5(config#interfacee3(打开接口)
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#failoverlanenable(启用lanbase)
FW5(config#failoverlanunitprimary(指定该设备为主设备)
FW5(config#failoverlaninterfacebluefoxe3(指定Failover线(可与状态线共用))
FW5(config#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6(共用时可不配)
FW5(config#failover
FW5(config#interfacee0
FW5(config-if#nameifoutside
FW5(config-if#ipadd192.168.7.5255.255.255.0standby192.168.7.6
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#interfacee1
FW5(config-if#nameifinside
FW5(config-if#ipadd192.168.5.5255.255.255.0standby192.168.5.6
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#interfacee2
FW5(config-if#nameifdmz
FW5(config-if#security-level50
FW5(config-if#ipadd192.168.8.5255.255.255.0standby192.168.8.6
FW5(config-if#nosh
FW5(config-if#exit
FW6(备份设备)
FW6(config#interfacee3
FW6(config-if#nosh
FW6(config-if#exit
(打开状态线)
FW6(config#failoverlanenable(启用lanbase)
FW6(config#failoverlanunitsecondary(指定该设备为辅助设备)
FW6(config#failoverlaninterfacebluefoxe3(指定Failover线)
FW6(config#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6
FW6(config#failover(启用Failover)
测试与分析:
FW5
FW6
FW5
由以上各图知FW5为主、FW6为备份设备.
在FW6上手动抢占
FW6已成为主设备。
FW6切换为辅助设备
以下为各个设备的详细配置:
FW5
interfaceEthernet0
nameifoutside
security-level0
ipaddress192.168.7.5255.255.255.0standby192.168.7.6
interfaceEthernet1
nameifinside
security-level100
ipaddress192.168.5.5255.255.255.0standby192.168.5.6
interfaceEthernet2
nameifdmz
security-level50
ipaddress192.168.8.5255.255.255.0standby192.168.8.6
interfaceEthernet3
descriptionLAN/STATEFailoverInterface
access-list100extendedpermitipanyany
failover
failoverlanunitprimary
failoverlaninterfacebluefoxEthernet3
failoverlanenable
failoverlinkbluefoxEthernet3
failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6
access-group100ininterfaceoutside
access-group100ininterfacedmz
routeoutside0.0.0.00.0.0.0192.168.7.71
routeinside192.168.10.0255.255.255.0192.168.5.1001
routeinside192.168.20.0255.255.255.0192.168.5.1001
routedmz192.168.30.0255.255.255.0192.168.8.41
routedmz192.168.40.0255.255.255.0192.168.8.41
SW1
spanning-treevlan1priority0
spanning-treevlan10priority0
spanning-treevlan20priority0
interfacePort-channel1
switchportmodetrunk
interfaceFastEthernet1/1
switchportaccessvlan5
interfaceFastEthernet1/2
switchportaccessvlan6
interfaceFastEthernet1/3
switchportmodetrunk
channel-group1modeon
interfaceFastEthernet1/4
switchportmodetrunk
channel-group1modeon
interfaceFastEthernet1/5
switchporttrunkallowedvlan1-4,7-1005
switchportmodetrunk
interfaceVlan5
ipaddress192.168.5.1255.255.255.0
standby5ip192.168.5.100
standby5priority120
standby5preempt
standby5trackFastEthernet1/550
interfaceVlan6
ipaddress192.168.6.1255.255.255.0
interfaceVlan10
ipaddress192.168.10.1255.255.255.0
standby10ip192.168.10.100
standby10priority120
standby10preempt
standby10trackFastEthernet1/150
interfaceVlan20
ipaddress192.168.20.1255.255.255.0
standby20ip192.168.20.100
standby20priority120
standby20preempt
standby20trackFastEthernet1/150
iproute0.0.0.00.0.0.0192.168.5.5
SW2
spanning-treevlan1priority4096
spanning-treevlan10priority4096
spanning-treevlan20priority4096
interfacePort-channel1
switchportmodetrunk
interfaceFastEthernet1/1
switchportaccessvlan5
interfaceFastEthernet1/2
switchportaccessvlan6
interfaceFastEthernet1/3
switchportmodetrunk
channel-group1modeon
interfaceFastEthernet1/4
switchportmodetrunk
channel-group1modeon
interfaceFastEthernet1/5
switchporttrunkallowedvlan1-4,7-1005
switchportmodetrunk
interfaceVlan5
ipaddress192.168.5.2255.255.255.0
standby5ip192.168.5.100
standby5preempt
interfaceVlan6
ipaddress192.168.6.2255.255.255.0
interfaceVlan10
ipaddress192.168.10.2255.255.255.0
standby10ip192.168.10.100
standby10preempt
interfaceVlan20
ipaddress192.168.20.2255.255.255.0
standby20ip192.168.20.100
standby20preempt
iproute0.0.0.00.0.0.0192.168.5.5
SW3
interfaceFastEthernet1/1
switchportmodetrunk
interfaceFastEthernet1/2
switchportmodetrunk
interfaceFastEthernet1/3
switchportaccessvlan10
interfaceFastEthernet1/4
switchportaccessvlan20
SW4
interfaceFastEthernet1/1
switchportaccessvlan7
interfaceFastEthernet1/2
switchportaccessvlan7
interfaceFastEthernet1/3
switchportaccessvlan30
interfaceFastEthernet1/4
switchportaccessvlan40
interfaceVlan7
ipaddress192.168.8.4255.255.255.0
interfaceVlan30
ipaddress192.168.30.1255.255.255.0
interfaceVlan40
ipaddress192.168.40.1255.255.255.0
iproute0.0.0.00.0.0.0192.168.7.5
iproute0.0.0.00.0.0.0192.168.8.5
R7
interfaceLoopback0
ipaddress202.103.96.112255.255.255.0
interfaceEthernet0/0
ipaddress192.168.7.7255.255.255.0
iproute192.168.0.0255.255.0.0192.168.7.5
2、基于Lanbase的A/A模式
FW5(活动设备)
FW5(config#failoverlinkbluefoxe3(指定Failover状态接口)
FW5(config#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6(配置状态接口的IP)
FW5(config#interfacee3(打开接口)
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#failoverlanenable(启用lanbase)
FW5(config#failoverlanunitprimary(指定该设备为主设备)
FW5(config#failoverlaninterfacebluefoxe3(指定Failover线(可与状态线共用))
FW5(config#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6(共用时可不配)
以下是A/A区别与A/S的配置:
FW5(config#failovergroup1(创建Failover组)
FW5(config-fover-group)#primary(指定Failover组的类型)
FW5(config-fover-group)#preempt(启用抢占)
FW5(config-fover-group)#exit
FW5(config#failovergroup2
FW5(config-fover-group)#secondary
FW5(config-fover-group)#preempt
FW5(config-fover-group)#exit
FW5(config#contextbluefox(创建安全环境)
FW5(config-context)#join-failover1/2(将安全环境加入组,在辅助设备一方与主方角色相反)
FW5(config-context)#exit
FW5(config#failover
FW5(config#interfacee0
FW5(config-if#nameifoutside
FW5(config-if#ipadd192.168.7.5255.255.255.0standby192.168.7.6
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#interfacee1
FW5(config-if#nameifinside
FW5(config-if#ipadd192.168.5.5255.255.255.0standby192.168.5.6
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#interfacee2
FW5(config-if#nameifdmz
FW5(config-if#security-level50
FW5(config-if#ipadd192.168.8.5255.255.255.0standby192.168.8.6
FW5(config-if#nosh
FW5(config-if#exit
FW6(备份设备)
FW6(config#interfacee3
FW6(config-if#nosh
FW6(config-if#exit
(打开状态线)
FW6(config#failoverlanenable(启用lanbase)
FW6(config#failoverlanunitsecondary(指定该设备为辅助设备)
FW6(config#failoverlaninterfacebluefoxe3(指定Failover线)
FW6(config#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6
FW6(config#failover(启用Failover)
3、基于cable-based的A/S模式(只有A/S模式,主备有线缆决定)
FW5(config#failoverlinkbluefoxe3(指定Failover状态接口)
FW5(config#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6(配置状态接口的IP)
FW5(config#interfacee3(打开接口)
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#Failover(启动Failover)
可选配置:
FW5(config#failoverreplicationhttp(启用http状态复制)
FW5(config#monitor-interfacexx(指定监控接口)
FW5(config#failover-polltimeinterfacexxtimexx(指定接口监控间隔时间)
FW5(config#failoverpolltimexxtime(指定Hello间隔时间)
FW5(config#interfacee0
FW5(config-if#nameifoutside
FW5(config-if#ipadd192.168.7.5255.255.255.0standby192.168.7.6
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#interfacee1
FW5(config-if#nameifinside
FW5(config-if#ipadd192.168.5.5255.255.255.0standby192.168.5.6
FW5(config-if#nosh
FW5(config-if#exit
FW5(config#interfacee2
FW5(config-if#nameifdmz
FW5(config-if#security-level50
FW5(config-if#ipadd192.168.8.5255.255.255.0standby192.168.8.6
FW5(config-if#nosh
FW5(config-if#exit
升级会员 