failover 热备
active standby
active active
标准fo
stateful fo
active/standby
active/active
如果是hardware挂了,被动起来tcp需要重连
stateful failover 状态化的。主用down了,主用状态化的信息都传到了备用设备。不会要求你重连
active/active
有两个防火墙,但是两个防火墙又虚拟出来2个,相当于现在有4个虚拟防火墙,其中左边的一个虚拟防火墙和右边另一个虚拟防火墙做active和standby,左边的第二个和右边的第二个也做一组active和standby。左边的1为active,右边的2为active。有的pc网关指向1,有的pc网关指向2.两边都能走流量。如果第一组的actve挂掉,会把他的状态信息交给右边standby的防火墙。相当于右边双active。所有pc都走active的。
需要:
硬件完全一样
软件完全一样
flash ram全部一样
支持加密全部一样
如何确认主用down。
如果发现链路down交给备用
你会被动的探测网络流量。
最近10个arp表的映射,发请求看他们有没有回应
做一个广播的ping看有没有人理你。
3钟failover链路
1.cable-based 它有一种串口专门的串口线,用这种串口线做的failover叫做cable-based. standby那端没电,线有自动检测功能。
2.lan-based.普通的交叉以太网线,切换比较慢,asa只能支持,lan based.必须物理口
3.stateful 专门拿根线,必须物理口
切换真实的ip和mac地址。互相发送hello进行检测。
cable-based.
inside和outside必须是2层能够通。
primary和secondary一定不能接反,接反会把空配置倒进已经配好的设备。
所有的配置都在active配置,standby不用管
配置:failover
interface e0
ip add 192.168.2.2 255.255.255.0 standby 192.168.2.7
inter e1
ip add 10.0.2.1 255.255.255.0 standby 10.0.2.7
failover polltime unit 10
show failover
切换
failover active (在主用上)
或在备用上no failover active
lan-based
必须要用一个物理口
配置: 
中间需要两根线:
一根传输faliover的线缆,一根状态化的faliover的线缆,一根传faliover信息,一根是传状态化信息的。必须两根。必须得物理口。
sw:
valn 2 name outside
vlan 3 name inside
vlan 4 name lfo
vlan 5 name sta
outside:
inter e0/0
ip add 202.100.1.10 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 202.100.1.1
intside:
int e0/0
ip add 10.1.1.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
sw:
int f0/1
sw mo acc
sw acc vlan 2
int f0/2
sw mode acc
sw acc vlan 3
int range f0/17 ,f0/18
sw acc vlan 4
int range f0/9,f0/11
sw acc vlan 5
int range f0/7 ,f0/8
sw mode trunk
sw trunk en dot1q
pix1:
int e0
no sh
int e1
no sh
int e2
no sh
int e0.2
vlan 2
ip add 202.100.1.1 255.255.255.0standby 202.100.1.2
nameif outside
int e0.3
vlan 3
ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2
nameif inside
failover lan enable (激活pix,asa不需要激活)
failover lan unit permary(设置为主防火墙)
failover lan interface lfo(跟一个物理接口)
failover inter ip lfo 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover key cisco
failover(激活failover)
pix2:
int e1(只需要打开中间的心跳线)
no sh
failover lan enable
failover lan unit secondary
failover lan inter lfo e1
failover inter ip lfo 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover key cisco
failover
pix1:
wr
wr standby (被动存盘都在主动配置)
no failover active(手动切换)
failover link sta e2(配置状态化接口)
failover interface ip sta 192.168.2.1 255.255.255.0 standby 192.168.2.2
配置了failover如果要清空配置千万不要clear config all,应为有可能两边mac地址一样,standby的pix会把active防火墙的mac地址拷贝过来。
自定义备用mac
failover mac address e0 00a0.c976.cde5 00a0.c922.9176active/active
sw:
vlan data
vlan 2 name sp1
vlan 3 name sp2
vlan 4 name outside
vlan 5 nema lfo
vlan 6 name sta
vlan 7 name inside.1
vlan 8 name inside.2
internet
inter e0/0
no sh
int e0/0.2
en dot1q 2
ip add 202.100.1.100 255.255.255.0
int e0/0.3
en dot1q 3
ip add 61.128.128.100 255.255.255.0
int lo0
ip add 58.1.1.1 255.255.255.0
sp1:
int e0/0
no sh
int e0/0.2
en dotq 2
ip add 202.100.1.1 255.255.255.0
int e0.4
en dot1q 4
ip add 192.168.1.10 255.255.255.0
sp2:
int e0/0
int e0/0.3
en dot1q 3
ip add 61.128.128.1 255.255.255.0
int e0/0.4
ip add 192.168.1.20 255.255.255.0
no sh
intside.1:
int e0/0
ip add 10.1.1.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
intside.2
int e0/0
ip add 20.1.1.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.1.1.1
sp1:
ip route 0.0.0.0 0.0.0.0 202.100.1.100
ip route 10.1.1.0 255.255.255.0 192.168.1.1
access-list 5 permit 10.1.1.0 0.0.0.255
ip nat inside source list 5 interface e0/0.2 overload
ip e0/0.2
ip nat outside
int e0/0.4
ip nat inside
sp2:
ip route 0.0.0.0 0.0.0.0 61.128.128.100
ip route 20.1.1.0 255.255.255.0 192.168.1.101
access-list 5 permit 20.1.1.0 0.0.0.255
ip nat inside source list 5 interface e0/0.3 overload
inter e0/0.3
ip nat outside
int e0/0.4
ip nat outside
sw:
int range f0/3,f0/1,f0/4
sw mode trunk
sw en dot1q
int f0/5
sw mode acc
sw acc vlan 7
int f0/6
sw mode acc
sw acc vlan8
int range f0/17,f0/18
sw mo acc
sw acc vlan 5
int range f0/9, f0/11
sw mode acc
sw acc vlan 6
int range f0/7,f0/8
sw mode trunk
pix1:
delete flash:/c1.cfg
delete flash:/c2.cfg
delete flash:/admin.cfg
delete flash:/old_running.cfg
show flash:
wr mem
context sp1
config-url flash:/sp1.cfg
exit
context sp2
conifg-url flash:/sp2.cfg
exit
inter e0
no sh
int e1
no sh
int e2
no sh
int e0.4
vlan 4
int e0.7
vlan 7
int e0.8
vlan 8
context sp1
allocate-interface e0.4(关联接口)
allocate-interface e0.7
eixt
context sp2
allocate-interface e 0.4
allocate-interface e 0.8
exit
failover group 1(全局敲)
primary(在组一种活跃)
exit
failover group 2(全局敲)
secondary(在组二中备份)
exit
context sp1
join-failover-group 1(加入到group1)
context sp2
join-failover-group 2(加入到group 2)
wr mem
failover lan enable
failover lan unit primary
failover lan interface lfo e1
failover interface ip lfo 192.168.101.1 255.255.255.0 stan 192.168.101.2
failover key cisco
failover
wr mem
pix2:
config t
int e1
no sh
failover lan enable
failover lan unit secondary
failover lan inter lfo e1
failover inter face ip lfo 192.168.101.1 255.255.255.0 stan 192.168.101.2
failover key ciscon
failover
pix1:
changeto context sp2
show failover
changeto system
no failover actiive group 2
changeto context sp1
inter e0.4
nameif outside
ip add 192.168.1.1 255.255.255.0 standby 192.168.1.2
int e0.7
nameif inside
ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2
wr mem
pix2:
changeto context sp2
inter e0.4
nameif outside
ip add 192.168.1.101 255.255.255.255.0 standy 192.168.1.102
int e0.8
nameif inside
ip add 20.1.1.1 255.255.255.0 standby 20.1.1.2
pix1:
changeto context sp1
route outside 0 0 192.168.1.10
pix2:
changeto context sp2
route outside 0 0 192.168.1.20
pix1:
change context system
failover link sta e2
failover interface ip sta 192.168.102.1 255.255.255.0 stanby 192.168.102.2
wr mem
wr standby
标签:1fileover,int,ip,failover,255.255,0.0,第五天,255.0 From: https://www.cnblogs.com/smoke520/p/18354157