服务创新提升价值!
思科防火墙(ASA 5525-X)双机热备配置
注:本次实验设备型号为 ASA 5525-X; 系统版本: Cisco Adaptive Security Appliance Software Version 9.14(2)13 SSP Operating System Version 2.8(1.144)Device Manager Version 7.15(1)150
一、为什么要做双机热备
1.提升网络的可靠性,避免单点故障;2.对于防火墙而已,还启到备份会话表等一些状态信息;3.负载均衡
二、双机热备形式
原理:防火墙的双机热备功能提供一条专门的备份通道,用于两台防火墙之间协商主备状态,以及会话等状态信息的备份; 双机热备主要包括:A.主备备份:指正常情况下只由“主设备”处理业务,“备设备”处于空闲状态;当“主设备”接口、链路、整机故障时,“备设备”切换为“主设备”,接替“主设备”处理业务。B.负载均衡:负载均衡也可以称为“互为主备”,即两台设备同时处理业务;当其中一台设备发生故障时,另外一台设备会立即承担其业务,保证原来需要通过这台设备转发的业务不中断。
三、配置
主设备配置如下:ciscoasa(config)#failoverciscoasa(config)#failover lan unit primary //确认主备设备,primary-主 secondary-备ciscoasa(config)#failover lan interface Active GigabitEthernet0/1 //确认心跳接口,名字和接口不能敲错ciscoasa(config)#failover link statelink GigabitEthernet0/3 //确认链路状态接口,名字和接口不能敲错ciscoasa(config)#failover interface ip Active 1.1.1.1 255.255.255.252 standby 1.1.1.2 //确认心跳地址ciscoasa(config)#failover interface ip statelink 2.2.2.1 255.255.255.252 standby 2.2.2.2 //确认链路状态地址ciscoasa(config)# interface gigabitEthernet 0/1ciscoasa(config-if)# no shutdownciscoasa(config)# interface gigabitEthernet 0/3ciscoasa(config-if)# no shutdown 备设备配置如下:ciscoasa(config)#failoverciscoasa(config)#failover lan unit secondaryciscoasa(config)#failover lan interface Active GigabitEthernet0/1ciscoasa(config)#failover link statelink GigabitEthernet0/3ciscoasa(config)#failover interface ip Active 1.1.1.1 255.255.255.252 standby 1.1.1.2ciscoasa(config)#failover interface ip statelink 2.2.2.1 255.255.255.252 standby 2.2.2.2ciscoasa(config)# interface gigabitEthernet 0/1ciscoasa(config-if)# no shutdownciscoasa(config)# interface gigabitEthernet 0/3ciscoasa(config-if)# no shutdown
四、验证
ciscoasa(config)# show failover Failover On Failover unit Primary Failover LAN Interface: Active GigabitEthernet0/1 (up)Reconnect timeout 0:00:00Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 2 of 466 maximumMAC Address Move Notification Interval not setVersion: Ours 9.14(2)13, Mate 9.14(2)13Serial Number: Ours XXXXXXXXXXX, Mate XXXXXXXXXXLast Failover at: 20:14:31 UTC Mar 27 2021This host: Primary - Active Active time: 2606 (sec)slot 0: ASA5525 hw/sw rev (3.0/9.14(2)13) status (Up Sys)Interface inside (10.1.1.1): No Link (Waiting)Interface management (192.168.1.1): No Link (Waiting)Other host: Secondary - Standby Ready Active time: 19 (sec)slot 0: ASA5525 hw/sw rev (3.1/9.14(2)13) status (Up Sys)Interface inside (0.0.0.0): No Link (Waiting)Interface management (0.0.0.0): No Link (Waiting)Stateful Failover Logical Update StatisticsLink : statelink GigabitEthernet0/3 (up)Stateful Obj xmit xerr rcv rerr General 321 0 319 1 sys cmd 319 0 319 1 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 0 0 0 0 VPN IKEv1 P2 0 0 0 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 SIP Tx 0 0 0 0 SIP Pinhole 0 0 0 0 Route Session 0 0 0 0 Router ID 0 0 0 0 User-Identity 2 0 0 0 CTS SGTNAME 0 0 0 0 CTS PAC 0 0 0 0 TrustSec-SXP 0 0 0 0 IPv6 Route 0 0 0 0 STS Table 0 0 0 0 Umbrella Device-ID 0 0 0 0 Logical Update Queue InformationCur Max TotalRecv Q: 0 25 2748Xmit Q: 0 30 1766
真机状态图
当模拟主设备故障(上面设备断电),备设备(下面这台设备)自动将FAILOVER状态切换为主设备,原主设备(上面设备)再次上线,就作为备机运行,如果需要强制切换可以使用该命令:
ciscoasa(config)# failover active Switching to Activeciscoasa(config)#
