防火墙 Failover.doc

防火墙 Failover 一、failover相关概念：1、failover线：又叫心跳线，是一条故障切换线，参与failover 的防火墙通过这条线决定本身的状态。Failover 线有2种：专用的cable线和LAN线2、statful failover线：即状态线，时刻传递状态信息由主到 次，该线的带宽必须大于等于用户接 口的带宽，状态有3种：专用以太口 或共享LAN-base的failover线或共 享用户接口(不建议）3、failover 组网拓扑：有2种：基于专用cable和基于LAN二、试验拓扑： 三、试验配置：FW5(config)# activation-key 0x5236f5a7 0x97def6da 0x732a91f5 0xf5deef57（添加UR许可，有UR许可才支持Failover）1、基于Lan base的A/S模式FW5（活动设备）FW5(config)# failover link bluefox e3(指定Failover状态接口）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（配置状态接口的IP）FW5(config)# interface e3（打开接口）FW5(config-if)# no shFW5(config-if)# exitFW5(config)# failover lan enable （启用lan base）FW5(config)# failover lan unit primary （指定该设备为主设备）FW5(config)# failover lan interface bluefox e3（指定Failover线（可与状态线共用）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（共用时可不配）FW5(config)# failover FW5(config)# interface e0FW5(config-if)# nameif outsideFW5(config-if)# ip add 192.168.7.5 255.255.255.0 standby 192.168.7.6FW5(config-if)# no shFW5(config-if)# exitFW5(config)# interface e1FW5(config-if)# nameif insideFW5(config-if)# ip add 192.168.5.5 255.255.255.0 standby 192.168.5.6FW5(config-if)# no shFW5(config-if)# exitFW5(config)# interface e2FW5(config-if)# nameif dmzFW5(config-if)# security-level 50FW5(config-if)# ip add 192.168.8.5 255.255.255.0 standby 192.168.8.6FW5(config-if)# no shFW5(config-if)# exitFW6（备份设备）FW6(config)# interface e3FW6(config-if)# no shFW6(config-if)# exit（打开状态线）FW6(config)# failover lan enable （启用lan base）FW6(config)# failover lan unit secondary （指定该设备为辅助设备）FW6(config)# failover lan interface bluefox e3（指定Failover线）FW6(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6FW6(config)# failover（启用Failover）测试与分析：FW5FW6FW5由以上各图知FW5为主、FW6为备份设备.在FW6上手动抢占FW6已成为主设备。FW6切换为辅助设备以下为各个设备的详细配置：FW5interface Ethernet0 nameif outside security-level 0 ip address 192.168.7.5 255.255.255.0 standby 192.168.7.6 interface Ethernet1 nameif inside security-level 100 ip address 192.168.5.5 255.255.255.0 standby 192.168.5.6 interface Ethernet2 nameif dmz security-level 50 ip address 192.168.8.5 255.255.255.0 standby 192.168.8.6 interface Ethernet3 description LAN/STATE Failover Interfaceaccess-list 100 extended permit ip any any failoverfailover lan unit primaryfailover lan interface bluefox Ethernet3failover lan enablefailover link bluefox Ethernet3failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6access-group 100 in interface outsideaccess-group 100 in interface dmzroute outside 0.0.0.0 0.0.0.0 192.168.7.7 1route inside 192.168.10.0 255.255.255.0 192.168.5.100 1route inside 192.168.20.0 255.255.255.0 192.168.5.100 1route dmz 192.168.30.0 255.255.255.0 192.168.8.4 1route dmz 192.168.40.0 255.255.255.0 192.168.8.4 1SW1spanning-tree vlan 1 priority 0spanning-tree vlan 10 priority 0spanning-tree vlan 20 priority 0interface Port-channel1 switchport mode trunkinterface FastEthernet1/1 switchport access vlan 5interface FastEthernet1/2 switchport access vlan 6 interface FastEthernet1/3 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/4 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/5 switchport trunk allowed vlan 1-4,7-1005 switchport mode trunkinterface Vlan5 ip address 192.168.5.1 255.255.255.0 standby 5 ip 192.168.5.100 standby 5 priority 120 standby 5 preempt standby 5 track FastEthernet1/5 50interface Vlan6 ip address 192.168.6.1 255.255.255.0interface Vlan10 ip address 192.168.10.1 255.255.255.0 standby 10 ip 192.168.10.100 standby 10 priority 120 standby 10 preempt standby 10 track FastEthernet1/1 50interface Vlan20 ip address 192.168.20.1 255.255.255.0 standby 20 ip 192.168.20.100 standby 20 priority 120 standby 20 preempt standby 20 track FastEthernet1/1 50ip route 0.0.0.0 0.0.0.0 192.168.5.5SW2spanning-tree vlan 1 priority 4096spanning-tree vlan 10 priority 4096spanning-tree vlan 20 priority 4096interface Port-channel1 switchport mode trunkinterface FastEthernet1/1 switchport access vlan 5interface FastEthernet1/2 switchport access vlan 6interface FastEthernet1/3 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/4 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/5 switchport trunk allowed vlan 1-4,7-1005 switchport mode trunk interface Vlan5 ip address 192.168.5.2 255.255.255.0 standby 5 ip 192.168.5.100 standby 5 preemptinterface Vlan6 ip address 192.168.6.2 255.255.255.0interface Vlan10 ip address 192.168.10.2 255.255.255.0 standby 10 ip 192.168.10.100 standby 10 preemptinterface Vlan20 ip address 192.168.20.2 255.255.255.0 standby 20 ip 192.168.20.100 standby 20 preemptip route 0.0.0.0 0.0.0.0 192.168.5.5SW3interface FastEthernet1/1 switchport mode trunkinterface FastEthernet1/2 switchport mode trunkinterface FastEthernet1/3 switchport access vlan 10interface FastEthernet1/4 switchport access vlan 20SW4interface FastEthernet1/1 switchport access vlan 7interface FastEthernet1/2 switchport access vlan 7interface FastEthernet1/3 switchport access vlan 30interface FastEthernet1/4 switchport access vlan 40interface Vlan7 ip address 192.168.8.4 255.255.255.0interface Vlan30 ip address 192.168.30.1 255.255.255.0interface Vlan40 ip address 192.168.40.1 255.255.255.0ip route 0.0.0.0 0.0.0.0 192.168.7.5ip route 0.0.0.0 0.0.0.0 192.168.8.5R7 interface Loopback0 ip address 202.103.96.112 255.255.255.0interface Ethernet0/0 ip address 192.168.7.7 255.255.255.0ip route 192.168.0.0 255.255.0.0 192.168.7.52、基于Lan base的A/A模式FW5（活动设备）FW5(config)# failover link bluefox e3(指定Failover状态接口）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（配置状态接口的IP）FW5(config)# interface e3（打开接口）FW5(config-if)# no shFW5(config-if)# exitFW5(config)# failover lan enable （启用lan base）FW5(config)# failover lan unit primary （指定该设备为主设备）FW5(config)# failover lan interface bluefox e3（指定Failover线（可与状态线共用）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（共用时可不配） 以下是A/A 区别与A/S 的配置：FW5(config)# failover group 1(创建Failover 组）FW5(config-fover-group）#primary（指定Failover组的类型）FW5(config-fover-group）#preempt（启用抢占）FW5(config-fover-group）#exitFW5(config)# failover group 2FW5(config-fover-group）#secondaryFW5(config-fover-group）#preemptFW5(config-fover-group）#exitFW5(config)# context bluefox（创建安全环境）FW5(config-context）#join-failover 1/2（将安全环境加入组，在辅助设备一方与主方角色相反） FW5(config-context）#exitFW5(config)# failover FW5(config)# interface e0FW5(config-if)# nameif outsideFW5(config-if)# ip add 192.168.7.5 255.255.255.0 standby 192.168.7.6FW5(config-if)# no shFW5(config-if)# exitFW5(config)# interface e1FW5(config-if)# nameif insideFW5(config-if)# ip add 192.168.5.5 255.255.255.0 standby 192.168.5.6FW5(config-if)# no shFW5(config-if)# exitFW5(config)# interface e2FW5(config-if)# nameif dmzFW5(config-if)# security-level 50FW5(config-if)# ip add 192.168.8.5 255.255.255.0 standby 192.168.8.6FW5(config-if)# no shFW5(config-if)# exitFW6（备份设备）FW6(config)# interface e3FW6(config-if)# no shFW6(config-if)# exit（打开状态线）FW6(config)# failover lan enable （启用lan base）FW6(config)# failover lan unit secondary （指定该设备为辅助设备）FW6(config)# failover lan interface bluefox e3（指定Failover线）FW6(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6FW6(config)# failover（启用Failover）3、基于cable-based的A/S模式（只有A/S模式，主备有线缆决定）FW5(config)# failover link bluefox e3(指定Failover状态接口）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（配置状态接口