1.测试拓扑:
2.配置步骤:
A.测试心跳连通性:
①FW1:
interface Ethernet2
nameif failover
ip add 192.168.1.1 255.255.255.0
no shut
②FW2:
interface Ethernet2
nameif failover
ip add 192.168.1.2 255.255.255.0
no shut
③测试:
FW1(config-if)# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/50 ms
FW1(config-if)#
④清除接口配置:
(config)# clear configure interface ethernet 2
B.primary墙配置:
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.254
no shut
interface Ethernet1
nameif inside
security-level 100
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.254
no shut
interface Ethernet2
no shut
failover lan unit primary
failover lan interface FO Ethernet2
failover lan enable
failover key cisco
failover link FO Ethernet2
failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover
最后敲failover
C.secondary墙配置:
failover lan unit secondary
failover lan interface FO Ethernet2
failover lan enable
failover key cisco
failover link FO Ethernet2
failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover
interface Ethernet2
no shut
最后敲failover,并将心跳线no shutdown。
备墙只需以上命令,其余的配置会自动同步过来。
3.测试:
A.开启icmp审查:
FW1(config)# policy-map global_policy
FW1(config-pmap)# class inspection_default
FW1(config-pmap-c)# inspect icmp
B.R1、R2配置接口地址和默认路由:
R1(config)#int f0/0
R1(config-if)#ip add 10.1.1.8 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
R2(config)#int f0/0
R2(config-if)#ip add 20.1.1.8 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ip route 0.0.0.0 0.0.0.0 20.1.1.1
C.在R2上开启ping:
R2#ping 10.1.1.8 repeat 10000
D.R3上shutdown与FW1连线的接口:
R3(config-if)#int f0/2
R3(config-if)#shut
R3(config-if)#shutdown
E.R2终止ping,可以看到有丢包:
R2#ping 10.1.1.8 repeat 10000
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!..............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 97 percent (511/526), round-trip min/avg/max = 4/42/160 ms
4.注意事项:
A.不能通过shutdown主墙的接口来使主备切换,这样只能把配置传到备墙,备墙只是把接口shutdown。
B.A/S没有配置抢占的地方
C.终止路由器ping操作的快捷方式为ctrl+shif+6
D.PIX比ASA多一条命令:failover lan enable
2.配置步骤:
A.测试心跳连通性:
①FW1:
interface Ethernet2
nameif failover
ip add 192.168.1.1 255.255.255.0
no shut
②FW2:
interface Ethernet2
nameif failover
ip add 192.168.1.2 255.255.255.0
no shut
③测试:
FW1(config-if)# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/50 ms
FW1(config-if)#
④清除接口配置:
(config)# clear configure interface ethernet 2
B.primary墙配置:
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.254
no shut
interface Ethernet1
nameif inside
security-level 100
ip address 20.1.1.1 255.255.255.0 standby 20.1.1.254
no shut
interface Ethernet2
no shut
failover lan unit primary
failover lan interface FO Ethernet2
failover lan enable
failover key cisco
failover link FO Ethernet2
failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover
最后敲failover
C.secondary墙配置:
failover lan unit secondary
failover lan interface FO Ethernet2
failover lan enable
failover key cisco
failover link FO Ethernet2
failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover
interface Ethernet2
no shut
最后敲failover,并将心跳线no shutdown。
备墙只需以上命令,其余的配置会自动同步过来。
3.测试:
A.开启icmp审查:
FW1(config)# policy-map global_policy
FW1(config-pmap)# class inspection_default
FW1(config-pmap-c)# inspect icmp
B.R1、R2配置接口地址和默认路由:
R1(config)#int f0/0
R1(config-if)#ip add 10.1.1.8 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
R2(config)#int f0/0
R2(config-if)#ip add 20.1.1.8 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ip route 0.0.0.0 0.0.0.0 20.1.1.1
C.在R2上开启ping:
R2#ping 10.1.1.8 repeat 10000
D.R3上shutdown与FW1连线的接口:
R3(config-if)#int f0/2
R3(config-if)#shut
R3(config-if)#shutdown
E.R2终止ping,可以看到有丢包:
R2#ping 10.1.1.8 repeat 10000
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!..............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 97 percent (511/526), round-trip min/avg/max = 4/42/160 ms
4.注意事项:
A.不能通过shutdown主墙的接口来使主备切换,这样只能把配置传到备墙,备墙只是把接口shutdown。
B.A/S没有配置抢占的地方
C.终止路由器ping操作的快捷方式为ctrl+shif+6
D.PIX比ASA多一条命令:failover lan enable
E.standby 地址在网络中ping不通,备机无法进行管理,备墙的状态通过主机show failover可以看的到。
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/948972,如需转载请自行联系原作者
