第五天1fileover

failover 热备

active standby

active active

标准fo

stateful fo

active/standby

active/active

如果是hardware挂了，被动起来tcp需要重连

stateful failover 状态化的。主用down了，主用状态化的信息都传到了备用设备。不会要求你重连

active/active

有两个防火墙，但是两个防火墙又虚拟出来2个，相当于现在有4个虚拟防火墙，其中左边的一个虚拟防火墙和右边另一个虚拟防火墙做active和standby,左边的第二个和右边的第二个也做一组active和standby。左边的1为active，右边的2为active。有的pc网关指向1，有的pc网关指向2.两边都能走流量。如果第一组的actve挂掉，会把他的状态信息交给右边standby的防火墙。相当于右边双active。所有pc都走active的。

需要：

硬件完全一样

软件完全一样

flash ram全部一样

支持加密全部一样

如何确认主用down。

如果发现链路down交给备用

你会被动的探测网络流量。

最近10个arp表的映射，发请求看他们有没有回应

做一个广播的ping看有没有人理你。

3钟failover链路

1.cable-based 它有一种串口专门的串口线，用这种串口线做的failover叫做cable-based. standby那端没电，线有自动检测功能。

2.lan-based.普通的交叉以太网线，切换比较慢，asa只能支持，lan based.必须物理口

3.stateful 专门拿根线，必须物理口

切换真实的ip和mac地址。互相发送hello进行检测。

cable-based.

inside和outside必须是2层能够通。

primary和secondary一定不能接反，接反会把空配置倒进已经配好的设备。

所有的配置都在active配置，standby不用管

配置:failover

interface e0

ip add 192.168.2.2 255.255.255.0 standby 192.168.2.7

inter e1

ip add 10.0.2.1 255.255.255.0 standby 10.0.2.7

failover polltime unit 10

show failover

切换

failover active (在主用上)

或在备用上no failover active

lan-based

必须要用一个物理口

配置:

中间需要两根线：

一根传输faliover的线缆，一根状态化的faliover的线缆，一根传faliover信息，一根是传状态化信息的。必须两根。必须得物理口。

sw:

valn 2 name outside

vlan 3 name inside

vlan 4 name lfo

vlan 5 name sta

outside:

inter e0/0

ip add 202.100.1.10 255.255.255.0

no sh

ip route 0.0.0.0 0.0.0.0 202.100.1.1

intside:

int e0/0

ip add 10.1.1.10 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

sw:

int f0/1

sw mo acc

sw acc vlan 2

int f0/2

sw mode acc

sw acc vlan 3

int range f0/17 ,f0/18

sw acc vlan 4

int range f0/9,f0/11

sw acc vlan 5

int range f0/7 ,f0/8

sw mode trunk

sw trunk en dot1q

pix1:

int e0

no sh

int e1

no sh

int e2

no sh

int e0.2

vlan 2

ip add 202.100.1.1 255.255.255.0standby 202.100.1.2

nameif outside

int e0.3

vlan 3

ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2

nameif inside

failover lan enable (激活pix，asa不需要激活）

failover lan unit permary(设置为主防火墙）

failover lan interface lfo(跟一个物理接口)

failover inter ip lfo 192.168.1.1 255.255.255.0 standby 192.168.1.2

failover key cisco

failover(激活failover)

pix2:

int e1(只需要打开中间的心跳线）

no sh

failover lan enable

failover lan unit secondary

failover lan inter lfo e1

failover inter ip lfo 192.168.1.1 255.255.255.0 standby 192.168.1.2

failover key cisco

failover

pix1:

wr

wr standby (被动存盘都在主动配置）

no failover active(手动切换)

failover link sta e2(配置状态化接口）

failover interface ip sta 192.168.2.1 255.255.255.0 standby 192.168.2.2

配置了failover如果要清空配置千万不要clear config all,应为有可能两边mac地址一样，standby的pix会把active防火墙的mac地址拷贝过来。

自定义备用mac

failover mac address e0 00a0.c976.cde5 00a0.c922.9176active/active

sw:

vlan data

vlan 2 name sp1

vlan 3 name sp2

vlan 4 name outside

vlan 5 nema lfo

vlan 6 name sta

vlan 7 name inside.1

vlan 8 name inside.2

internet

inter e0/0

no sh

int e0/0.2

en dot1q 2

ip add 202.100.1.100 255.255.255.0

int e0/0.3

en dot1q 3

ip add 61.128.128.100 255.255.255.0

int lo0

ip add 58.1.1.1 255.255.255.0

sp1:

int e0/0

no sh

int e0/0.2

en dotq 2

ip add 202.100.1.1 255.255.255.0

int e0.4

en dot1q 4

ip add 192.168.1.10 255.255.255.0

sp2:

int e0/0

int e0/0.3

en dot1q 3

ip add 61.128.128.1 255.255.255.0

int e0/0.4

ip add 192.168.1.20 255.255.255.0

no sh

intside.1:

int e0/0

ip add 10.1.1.100 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

intside.2

int e0/0

ip add 20.1.1.100 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.1.1.1

sp1:

ip route 0.0.0.0 0.0.0.0 202.100.1.100

ip route 10.1.1.0 255.255.255.0 192.168.1.1

access-list 5 permit 10.1.1.0 0.0.0.255

ip nat inside source list 5 interface e0/0.2 overload

ip e0/0.2

ip nat outside

int e0/0.4

ip nat inside

sp2:

ip route 0.0.0.0 0.0.0.0 61.128.128.100

ip route 20.1.1.0 255.255.255.0 192.168.1.101

access-list 5 permit 20.1.1.0 0.0.0.255

ip nat inside source list 5 interface e0/0.3 overload

inter e0/0.3

ip nat outside

int e0/0.4

ip nat outside

sw:

int range f0/3,f0/1,f0/4

sw mode trunk

sw en dot1q

int f0/5

sw mode acc

sw acc vlan 7

int f0/6

sw mode acc

sw acc vlan8

int range f0/17,f0/18

sw mo acc

sw acc vlan 5

int range f0/9, f0/11

sw mode acc

sw acc vlan 6

int range f0/7,f0/8

sw mode trunk

pix1:

delete flash:/c1.cfg

delete flash:/c2.cfg

delete flash:/admin.cfg

delete flash:/old_running.cfg

show flash:

wr mem

context sp1

config-url flash:/sp1.cfg

exit

context sp2

conifg-url flash:/sp2.cfg

exit

inter e0

no sh

int e1

no sh

int e2

no sh

int e0.4

vlan 4

int e0.7

vlan 7

int e0.8

vlan 8

context sp1

allocate-interface e0.4(关联接口)

allocate-interface e0.7

eixt

context sp2

allocate-interface e 0.4

allocate-interface e 0.8

exit

failover group 1(全局敲)

primary(在组一种活跃）

exit

failover group 2(全局敲)

secondary（在组二中备份）

exit

context sp1

join-failover-group 1(加入到group1）

context sp2

join-failover-group 2(加入到group 2)

wr mem

failover lan enable

failover lan unit primary

failover lan interface lfo e1

failover interface ip lfo 192.168.101.1 255.255.255.0 stan 192.168.101.2

failover key cisco

failover

wr mem

pix2:

config t

int e1

no sh

failover lan enable

failover lan unit secondary

failover lan inter lfo e1

failover inter face ip lfo 192.168.101.1 255.255.255.0 stan 192.168.101.2

failover key ciscon

failover

pix1:

changeto context sp2

show failover

changeto system

no failover actiive group 2

changeto context sp1

inter e0.4

nameif outside

ip add 192.168.1.1 255.255.255.0 standby 192.168.1.2

int e0.7

nameif inside

ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2

wr mem

pix2:

changeto context sp2

inter e0.4

nameif outside

ip add 192.168.1.101 255.255.255.255.0 standy 192.168.1.102

int e0.8

nameif inside

ip add 20.1.1.1 255.255.255.0 standby 20.1.1.2

pix1:

changeto context sp1

route outside 0 0 192.168.1.10

pix2:

changeto context sp2

route outside 0 0 192.168.1.20

pix1:

change context system

failover link sta e2

failover interface ip sta 192.168.102.1 255.255.255.0 stanby 192.168.102.2

wr mem

wr standby