FWSM FAILOVER测试配置模版.docx

1、FWSM FAILOVER测试配置模版-FWSM 结构：该模块内部体系主要由一个双Intel 奔腾3处理器和3个IBM的NP，以及相应的ASIC芯片组成。其中NP1和NP2各有3条GE连接到C6K/C7600的交换矩阵或背板总线上，并自动创建一个6G的802.1Q的trunking Etherchannel。-C6k+FWSM：FWSM对于C6K来说，实际上相当于一个外部的高性能PIX防火墙，通过6个GE连接到C6K上。可以在C6K上配置基于session的6个GE间流量负载均衡。要求的6500配置为SUP2/MSFC2，Native IOS 12.1(13)E以上版本。实现64byte情况下

2、3Mpps的最大吞吐，1518byte情况下5G最大带宽，100个VLAN接口，128K ACL设置，LAN Failover等等。交换机VLAN 2-4、300-301、600做FIREWALL的虚拟接口VLAN 接口安全级别或用途280350450300FAILOVER接口301STATEFUL FAILOVER接口6000show runBuilding configuration.Current configuration : 12437 bytesversion 12.2service timestamps debug uptimeservice timestamps log upt

3、imeno service password-encryption!hostname bb6506-1!boot system flash sup-bootflash:logging snmp-authfailenable secret 5 $1$/Gz$SjNb0DKiUKWHUSruk1FZs.!clock timezone PDT -7firewall module 2 vlan-group 10 设置防火墙的VLANfirewall vlan-group 10 2-4,300,301,600ip subnet-zerono ip domain-lookupmpls ldp loggin

4、g neighbor-changesno mls flow ipno mls flow ipv6mls cef error action freeze!spanning-tree mode pvstno spanning-tree optimize bpdu transmissiondiagnostic cns publish s.device.diag_resultsdiagnostic cns subscribe s.device.diag_commands!redundancy mode sso main-cpu auto-sync running-config auto-sync st

5、andard!vlan internal allocation policy ascendingvlan access-log ratelimit 2000!interface Port-channel1 设置PORT-CHANNEL 作为FIREWALL-FAILOVER连接（最好用4-6个GE接口做捆绑） no ip address switchport switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet6/1 no ip address switchport switch

6、port access vlan 2 switchport mode access!interface GigabitEthernet6/2 no ip address switchport switchport access vlan 2 switchport mode access!interface GigabitEthernet6/3 试验时只作了2个接口做捆绑 no ip address switchport switchport mode trunk channel-group 1 mode oninterface GigabitEthernet6/4 no ip address

7、switchport switchport mode trunk channel-group 1 mode on!interface Vlan600 连接防火墙OUTSIDE接口 ip address 10.130.1.2 255.255.255.240 standby 255 ip 10.130.1.1 standby 255 priority 110 standby 255 preemptrouter rip version 2 redistribute static network 10.0.0.0!ip classlessip route 10.130.2.0 255.255.255.

8、0 10.130.1.4 配置到防火墙的静态路由ip route 10.130.3.0 255.255.255.0 10.130.1.4ip route 10.130.4.0 255.255.255.0 10.130.1.4no ip http serversnmp-server community shanghai ROsnmp-server community topsecret RW!dial-peer cor custom!line con 0line vty 0 4 password cisco login!endbb6506-1#show firewall vlan-group G

9、roup vlans- - 10 2-4,300-301,600bb6506-1#show firewall module 2 traffic Firewall module 2: Specified interface is up (connected)line protocol is up Hardware is EtherChannel, address is 0001.c9df.7b7d (bia 0001.c9df.7b7d) MTU 1500 bytes, BW 6000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255

10、, rxload 1/255 Encapsulation ARPA, loopback not set Full-duplex, 1000Mb/s input flow-control is off, output flow-control is unsupported Members in this channel: Gi2/1 Gi2/2 Gi2/3 Gi2/4 Gi2/5 Gi2/6 Last input never, output never, output hang never Last clearing of show interface counters never Input

11、queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 3000 bits/sec, 5 packets/sec 3842 packets input, 308227 bytes, 0 no buffer Received 84 broadcasts, 0 runts, 0

12、giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 13174 packets output, 1220828 bytes, 0 underruns 0 output errors, 0 collisions, 6 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output bu

13、ffer failures, 0 output buffers swapped outbb6506-1#show firewall module 2 state Firewall module 2:Switchport: EnabledAdministrative Mode: trunkOperational Mode: trunkAdministrative Trunking Encapsulation: dot1qOperational Trunking Encapsulation: dot1qNegotiation of Trunking: OffAccess Mode VLAN: 1

14、(default)Trunking Native Mode VLAN: 1 (default)Trunking VLANs Enabled: 2-4,300,301,600Pruning VLANs Enabled: 2-1001Vlans allowed on trunk:2-4,300-301,600Vlans allowed and active in management domain: 2-4,300-301,600Vlans in spanning tree forwarding state and not pruned: 2-4,300-301,600FWSM# show run

15、FWSM Version 2.3(1) nameif vlan2 vlan2inter security80 设置试验的VLAN接口（防火墙接口，和交换机nameif vlan3 vlan3inter security50 对应的VLAN） nameif vlan4 vlan4inter security50nameif vlan600 outside security0enable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname FWSMftp mode passivefixup pro

16、tocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 H225 1720fixup protocol h323 ras 1718-1719fixup protocol rsh 514fixup protocol sip 5060no fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521same-security-traffic permit inter-inter

17、face 允许同安全级别的VLAN接口之间通讯access-list deny-flow-max 4096access-list alert-interval 300access-list vlan2inter extended permit ip any any 设置ACLaccess-list vlan3inter extended permit ip any any access-list vlan4inter extended permit ip any any access-list outin extended permit ip any any access-list outsi

18、de extended permit icmp any any access-list outside extended permit ip any any pager lines 24logging buffer-size 4096mtu vlan2inter 1500mtu vlan3inter 1500mtu vlan4inter 1500mtu outside 1500ip address vlan2inter 10.130.2.1 255.255.255.0 standby 10.130.2.2 设置IP地址和ip address vlan3inter 10.130.3.1 255.

19、255.255.0 standby 10.130.3.2 FAILOVER 地址ip address vlan4inter 10.130.4.1 255.255.255.0 standby 10.130.4.2ip address outside 10.130.1.4 255.255.255.0 standby 10.130.1.5failover 下面是FAILOVER参数，301 VLAN 是STATEFUL连接failover lan unit primaryfailover lan interface faillink vlan 300failover polltime unit 1

20、holdtime 15failover polltime interface 15failover interface-policy 50%failover replication httpfailover link state vlan 301failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2failover interface ip state 192.168.253.5 255.255.255.252 standby 192.168.253.6monitor-interfac

21、e vlan2intermonitor-interface vlan3intermonitor-interface vlan4intericmp permit any vlan2intericmp permit any vlan3intericmp permit any vlan4intericmp permit any outsideno pdm history enablearp timeout 14400nat (vlan2inter) 0 0.0.0.0 0.0.0.0 设置不做NAT转换nat (vlan3inter) 0 0.0.0.0 0.0.0.0nat (vlan4inter

22、) 0 0.0.0.0 0.0.0.0static (vlan2inter,vlan3inter) 10.130.2.0 10.130.2.0 netmask 255.255.255.0 设置安全低到高的地址映射static (vlan2inter,vlan4inter) 10.130.2.0 10.130.2.0 netmask 255.255.255.0 static (vlan2inter,outside) 10.130.2.0 10.130.2.0 netmask 255.255.255.0 static (vlan3inter,outside) 10.130.3.0 10.130.3

23、.0 netmask 255.255.255.0 static (vlan4inter,outside) 10.130.4.0 10.130.4.0 netmask 255.255.255.0 应用策略到各个接口，注意高安全级别到低安全级别的VLAN接口也要做ACL，默认的情况是不做ACL，任何接口之间都是不通的。（和PIX不同）access-group vlan2inter in interface vlan2interaccess-group vlan3inter in interface vlan3interaccess-group vlan4inter in interface vla

24、n4interaccess-group outside in interface outside!route outside 0.0.0.0 0.0.0.0 10.130.1.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server T

25、ACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server locationno snmp-server contactsnmp-server community p

26、ublicsnmp-server enable traps snmpfloodguard enablefragment size 200 vlan2interfragment chain 24 vlan2interfragment size 200 vlan3interfragment chain 24 vlan3interfragment size 200 vlan4interfragment chain 24 vlan4interfragment size 200 outsidefragment chain 24 outsidesysopt nodnsalias inboundsysopt

27、 nodnsalias outboundtelnet timeout 5ssh timeout 5terminal width 80no gdb enableCryptochecksum:476b6572fa758276de30eb06be518dd9endFWSM# show failoverFailover On Failover unit PrimaryFailover LAN Interface faillink Vlan 300Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 15 s

28、econdsInterface Policy 50%Monitored Interfaces 3 of 250 maximumfailover replication httpConfig sync: activeLast Failover at: 07:06:08 Dec 04 2004 This host: Primary - Active Active time: 1846 (sec) Interface vlan2inter (10.130.2.1): Normal Interface vlan3inter (10.130.3.1): Normal Interface vlan4int

29、er (10.130.4.1): Normal Interface outside (10.130.1.4): Normal (Not-Monitored) Other host: Secondary - Standby Active time: 4123 (sec) Interface vlan2inter (10.130.2.2): Normal Interface vlan3inter (10.130.3.2): Normal Interface vlan4inter (10.130.4.2): Normal Interface outside (10.130.1.5): Normal

30、(Not-Monitored)Stateful Failover Logical Update StatisticsLink : state Vlan 301 Stateful Obj xmit xerr rcv rerr General 327 0 309 0 sys cmd 309 0 308 0 up time 0 0 0 0 RPC services 0 0 0 0 xlate 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 18 0 1 0 RIP Tbl 0 0 0 0 L2BRIDGE Tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 TCP NPs 0 0 0 1 UDP NPs 8 0 16 1 Logical Update Queue Information Cur Max Total Recv Q: 0 1 309 Xmit Q: 0 1 327FWSM# show vlan2-4, 300-301 , 600FWSM# show access-listaccess-list mode auto-commitaccess-list cached ACL log flows: total 0, denied 0 (deny-flo