防火墙 Failover

《防火墙 Failover》由会员分享，可在线阅读，更多相关《防火墙 Failover（13页珍藏版）》请在金锄头文库上搜索。

1、 防火墙 Failover 一、failover相关概念：1、failover线：又叫心跳线，是一条故障切换线，参与failover 的防火墙通过这条线决定本身的状态。Failover 线有2种：专用的cable线和LAN线2、statful failover线：即状态线，时刻传递状态信息由主到 次，该线的带宽必须大于等于用户接 口的带宽，状态有3种：专用以太口 或共享LAN-base的failover线或共 享用户接口(不建议）3、failover 组网拓扑：有2种：基于专用cable和基于LAN二、试验拓扑： 三、试验配置：FW5(config)# activation-key 0x523

2、6f5a7 0x97def6da 0x732a91f5 0xf5deef57（添加UR许可，有UR许可才支持Failover）1、基于Lan base的A/S模式FW5（活动设备）FW5(config)# failover link bluefox e3(指定Failover状态接口）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（配置状态接口的IP）FW5(config)# interface e3（打开接口）FW5(config-if)# no shFW5(co

3、nfig-if)# exitFW5(config)# failover lan enable （启用lan base）FW5(config)# failover lan unit primary （指定该设备为主设备）FW5(config)# failover lan interface bluefox e3（指定Failover线（可与状态线共用）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（共用时可不配）FW5(config)# failover FW5(co

4、nfig)# interface e0FW5(config-if)# nameif outsideFW5(config-if)# ip add 192.168.7.5 255.255.255.0 standby 192.168.7.6FW5(config-if)# no shFW5(config-if)# exitFW5(config)# interface e1FW5(config-if)# nameif insideFW5(config-if)# ip add 192.168.5.5 255.255.255.0 standby 192.168.5.6FW5(config-if)# no s

5、hFW5(config-if)# exitFW5(config)# interface e2FW5(config-if)# nameif dmzFW5(config-if)# security-level 50FW5(config-if)# ip add 192.168.8.5 255.255.255.0 standby 192.168.8.6FW5(config-if)# no shFW5(config-if)# exitFW6（备份设备）FW6(config)# interface e3FW6(config-if)# no shFW6(config-if)# exit（打开状态线）FW6(

6、config)# failover lan enable （启用lan base）FW6(config)# failover lan unit secondary （指定该设备为辅助设备）FW6(config)# failover lan interface bluefox e3（指定Failover线）FW6(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6FW6(config)# failover（启用Failover）测试与分析：FW5FW6FW5由以上各图知FW5为主

7、、FW6为备份设备.在FW6上手动抢占FW6已成为主设备。FW6切换为辅助设备以下为各个设备的详细配置：FW5interface Ethernet0 nameif outside security-level 0 ip address 192.168.7.5 255.255.255.0 standby 192.168.7.6 interface Ethernet1 nameif inside security-level 100 ip address 192.168.5.5 255.255.255.0 standby 192.168.5.6 interface Ethernet2 nameif

8、 dmz security-level 50 ip address 192.168.8.5 255.255.255.0 standby 192.168.8.6 interface Ethernet3 description LAN/STATE Failover Interfaceaccess-list 100 extended permit ip any any failoverfailover lan unit primaryfailover lan interface bluefox Ethernet3failover lan enablefailover link bluefox Eth

9、ernet3failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6access-group 100 in interface outsideaccess-group 100 in interface dmzroute outside 0.0.0.0 0.0.0.0 192.168.7.7 1route inside 192.168.10.0 255.255.255.0 192.168.5.100 1route inside 192.168.20.0 255.255.255.0 192.168.5.1

10、00 1route dmz 192.168.30.0 255.255.255.0 192.168.8.4 1route dmz 192.168.40.0 255.255.255.0 192.168.8.4 1SW1spanning-tree vlan 1 priority 0spanning-tree vlan 10 priority 0spanning-tree vlan 20 priority 0interface Port-channel1 switchport mode trunkinterface FastEthernet1/1 switchport access vlan 5int

11、erface FastEthernet1/2 switchport access vlan 6 interface FastEthernet1/3 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/4 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/5 switchport trunk allowed vlan 1-4,7-1005 switchport mode trunkinterface Vlan5 ip add

12、ress 192.168.5.1 255.255.255.0 standby 5 ip 192.168.5.100 standby 5 priority 120 standby 5 preempt standby 5 track FastEthernet1/5 50interface Vlan6 ip address 192.168.6.1 255.255.255.0interface Vlan10 ip address 192.168.10.1 255.255.255.0 standby 10 ip 192.168.10.100 standby 10 priority 120 standby

13、 10 preempt standby 10 track FastEthernet1/1 50interface Vlan20 ip address 192.168.20.1 255.255.255.0 standby 20 ip 192.168.20.100 standby 20 priority 120 standby 20 preempt standby 20 track FastEthernet1/1 50ip route 0.0.0.0 0.0.0.0 192.168.5.5SW2spanning-tree vlan 1 priority 4096spanning-tree vlan

14、 10 priority 4096spanning-tree vlan 20 priority 4096interface Port-channel1 switchport mode trunkinterface FastEthernet1/1 switchport access vlan 5interface FastEthernet1/2 switchport access vlan 6interface FastEthernet1/3 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/4 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/5 switchport trunk allowed vlan 1-4,7-1005 switchport mode trunk interface Vlan5 ip address 192.168.5.2 255.255.255.0 standby 5 ip 192.168.5.100 s