Failover的需求
• 相同的型号和硬件配置(接口数量和模块)
• 相同的软件版本*
• 相同的加密特性(DES or 3DES)
• 相同大小的flash和RAM*
一、配置StatefulAS Lan-based FO
步骤一、
hostname ASA
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0 standby 202.100.1.20
no shutdown
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0 standby 10.1.1.20
no shutdown
注意:需在Primary ASA配置Standby IP,必须为同一段。
步骤二、
interface Ethernet0/2
no shutdown
failover lan unit Primary
注:指定本ASA为FO的Primary设备。
failover lan interface FO Ethernet0/2
注:指定E0/2为FO链路,接口名字为“FO”。
failover key cisco
注:加密与验证用密钥。
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover
注:启用FO功能。
注意:一定要先启用Primary设备这边。
步骤三、
interface Ethernet0/2
no shutdown
failover lanunit secondary
注:指定本ASA为FO的secondary设备。
failover lan interface FO Ethernet0/2
注:指定E0/2为FO链路,接口名字为“FO”
failover key cisco
注:加密与验证用密钥。
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover
步骤四、
ASA1查看fa信息
ASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 18:02:12 UTC Jan 18 2003
This host: Primary -Active
Active time: 3099 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(4)) status (Up Sys)
Interface Outside (202.100.1.10): Normal
Interface Inside (10.1.1.10): Normal
slot 1: empty
Other host: Secondary -Standby Ready
Active time: 652 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(4)) status (Up Sys)
Interface Outside (202.100.1.20): Normal
Interface Inside (10.1.1.20): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Unconfigured.
测试
1.Inside telnet outside
Inside#telnet 202.100.1.1 (通)
2.ASA1查看会话信息
ASA(config)# sh conn
11 in use, 11 most used
TCP Outside 202.100.1.1:23 Inside 10.1.1.1:11002, idle 0:00:08, bytes 116, flags UIO
3.ASA2查看会话信息
ASA(config)# sh conn
11 in use, 11 most used
4.Shutdown ASA1 e0/1对应的交换机接口fa0/8
注:如果把ASA1 E0/1接口DOWN掉,同样ASA2 E0/1也会DOWN掉。
Switch(config)#interfa0/8
Switch(config-if)#shutdown
ASA(config)# sh fa
Failover On
Failover unit Primary
Failover LAN Interface: FO Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 01:16:48 UTC Jul 9 2010
This host: Primary - Failed
Active time: 788 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
Interface outside (202.100.1.20): Normal
Interface inside (10.1.1.20): No Link (Waiting)
slot 1: empty
Other host: Secondary - Active
Active time: 81 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
Interface outside (202.100.1.10): Normal
Interface inside (10.1.1.10): Normal (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Unconfigured.
no Shutdown ASA1 e0/1对应的交换机接口fa0/8
Switch(config)#interfa0/8
Switch(config-if)#no shutdown
AS FO不支持自动抢占Active功能,需要在ASA1上手动配置。
ASA(config)# failover active
Switching to Active
注:该命令在哪个设备上敲,哪个设备就是Active。
步骤五、配置Stateful链路
ASA1配置Stateful链路:
interface Ethernet0/3
no shutdown
failover link Stateful Ethernet0/3
注:指派E0/3为Stateful链路,接口名字为“Stateful”。
failover interface ip Stateful192.168.2.10 255.255.255.0 standby 192.168.2.20
注:配置Stateful链路IP地址。
注意:无需在ASA2上配置,因为FO链路可以把配置同步到ASA2(secondary)
ASA(config)# sh fa
Stateful Failover Logical Update Statistics
Link : Stateful Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 4 0 2 0
sys cmd 2 0 2 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
××× IKE upd 0 0 0 0
××× IPSEC upd 0 0 0 0
××× CTCP upd 0 0 0 0
××× SDI upd 0 0 0 0
××× DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 20
Xmit Q: 0 1024 1279
测试
1.Inside telnet outside
Inside#telnet 202.100.1.1 (通)
2.ASA1查看会话信息
ASA(config)# sh conn
11 in use, 11 most used
TCP Outside 202.100.1.1:23 Inside 10.1.1.1:11002, idle 0:00:08, bytes 116, flags UIO
3.ASA2查看会话信息
ASA(config)# sh conn
11 in use, 11 most used
TCP Outside 202.100.1.1:23 Inside 10.1.1.1:11002, idle 0:00:08, bytes 116, flags UIO
4.Shutdown ASA1 e0/1对应的交换机接口fa0/18
Switch(config)#inter fa0/8
Switch(config-if)#shut down
AS FO不支持自动抢占Active功能,需要在ASA1上手动配置
ASA(config)# failover active
Switching to Active
最后总结:可以拿一个接口同时当FO/Stateful
failover link Stateful Ethernet0/2
failover interface ip Stateful 192.168.2.10 255.255.255.0 standby 192.168.2.20
当我们做AS Stateful时一些信息是不能穿Standby的
* The HTTP connection table (unless HTTP replication is enabled).
* The user authentication (uauth) table.
* The routing tables.
* Multicast traffic information.
* State information for Security Service Cards.
* DHCP server address leases.
* Stateful failover for phone proxy.
以下这些信息是可以pass的
* NAT translation table.
* TCP connection states.
* UDP connection states.
* The ARP table.
* The Layer 2 bridge table (when running in Transparent mode).
* The HTTP connection states (if HTTP replication is enabled).
* The ISAKMP and IPSec SAtable.
* GTP PDP connection database.
* SIP signaling sessions.
透明ASA AS配置
一、基本桥接
SW1:
2 Outside active Fa0/1, Fa0/10
3 Inside active Fa0/2, Fa0/11
4 FO active Fa0/12
5 St active Fa0/13
SW2:
2 Outside active Fa0/10
3 Inside active Fa0/11
4 FO active Fa0/12
5 St active Fa0/13
Outside:
int f0/0
ip add 202.100.1.1
no sh
Inside:
int f0/0
ip add 202.100.1.2
no sh
二、ASA配置
firewall transparent
interface Ethernet0/0
nameif outside
no shut
interface Ethernet0/1
nameif inside
interface Ethernet0/2
no shut
interface Ethernet0/3
no shut
ip add 202.100.1.100 255.255.255.0
failover lan unit primary
failover lan interface fover Ethernet0/2
failover key cisco
failover link Stateful Ethernet0/3
failover interface ip fover 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover interface ip Stateful 192.168.2.10 255.255.255.0 standby 192.168.2.20
failover
注:如果想用同一个接口即做FO又做Stateful可以给该接口用同一个名字。
ASA2:
failover lan unit secondary
failover lan interface fover Ethernet0/2
failover key cisco
failover link Stateful Ethernet0/3
failover interface ip fover 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover interface ip Stateful 192.168.2.10 255.255.255.0 standby 192.168.2.20
failover
三、测试
ASAFO-Tr(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:22:18 UTC Nov 30 1999
This host: Primary - Active
Active time: 743 (sec)
slot 0: empty
Interface outside (202.100.1.100): Normal (Waiting)
Interface inside (202.100.1.100): Normal (Waiting)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Stateful Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 105 0 84 0
sys cmd 84 0 84 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
L2BRIDGE Tbl 19 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 713
Xmit Q: 0 2 737
ASAFO-Tr(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:00:00 UTC Nov 30 1999
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 764 (sec)
slot 0: empty
Interface outside (202.100.1.100): Normal (Waiting)
Interface inside (202.100.1.100): Normal (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Stateful Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 88 0 109 0
sys cmd 88 0 88 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 2 0
L2BRIDGE Tbl 0 0 19 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 1414
Xmit Q: 0 1 88
Inside#202.100.1.1
Trying 202.100.1.1 ... Open
Outside>
ASAFO-Tr(config)# sh conn
5 in use, 5 most used
TCP out 202.100.1.1:23 in 202.100.1.2:56942 idle 0:00:19 bytes 58 flags UIO
ASAFO-Tr(config)# sh conn
5 in use, 5 most used
TCP out 202.100.1.1:23 in 202.100.1.2:56942 idle 0:00:20 bytes 58 flags UIO
SW1(config)#int f0/8
SW1(config-if)#sh
ASA(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 18:53:36 UTC Nov 17 2010
This host: Primary - Failed
Active time: 288 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): No Link (Waiting)
slot 1: empty
Other host: Secondary - Active
Active time: 6 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
Interface outside (202.100.1.100): Normal (Waiting)
Interface inside (202.100.1.100): Normal (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : fover Ethernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 40 0 32 0
sys cmd 32 0 32 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
L2BRIDGE Tbl 6 0 8 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 8 74
Xmit Q: 0 1024 1538
ASA(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 11:12:06 UTC Nov 17 2010
This host: Secondary - Active
Active time: 151 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
Interface outside (202.100.1.100): Normal (Waiting)
Interface inside (202.100.1.100): Normal (Waiting)
slot 1: empty
Other host: Primary - Failed
Active time: 288 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): No Link (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : fover Ethernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 78 0 60 0
sys cmd 52 0 52 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 3 0 0 0
ARP tbl 0 0 2 0
L2BRIDGE Tbl 23 0 6 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 1381
Xmit Q: 0 1 234
注:当SW no shut之后ASA1为 Standby,也就是说和路由模式FO一样,不支持抢占。必须手工敲。
ASA(config)# failover active
Switching to Active
需要注意的是,用模拟器做该实验,无法切换。
转载于:https://blog.51cto.com/skybird/615060
)
)
.ppt)
![EqualLogic全攻略视频[(四)高级管理]](http://pic.xiahunao.cn/EqualLogic全攻略视频[(四)高级管理])