防火墙Failover一、failover相关概念:1、failover线:又叫心跳线,是一条故障切换线,参与failover的防火墙通过这条线决定本身的状态。Failover线有2种:专用的cable线和LAN线2、statfulfailover线:即状态线,时刻传递状态信息由主到次,该线的带宽必须大于等于用户接口的带宽,状态有3种:专用以太口或共享LAN-base的failover线或共享用户接口(不建议)3、failover组网拓扑:有2种:基于专用cable和基于LAN二、试验拓扑:三、试验配置:FW5(config)#activation-key0x5236f5a70x97def6da0x732a91f50xf5deef57(添加UR许可,有UR许可才支持Failover)1、基于Lanbase的A/S模式FW5(活动设备)FW5(config)#failoverlinkbluefoxe3(指定Failover状态接口)FW5(config)#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6(配置状态接口的IP)FW5(config)#interfacee3(打开接口)FW5(config-if)#noshFW5(config-if)#exitFW5(config)#failoverlanenable(启用lanbase)FW5(config)#failoverlanunitprimary(指定该设备为主设备)FW5(config)#failoverlaninterfacebluefoxe3(指定Failover线(可与状态线共用))FW5(config)#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6(共用时可不配)FW5(config)#failoverFW5(config)#interfacee0FW5(config-if)#nameifoutsideFW5(config-if)#ipadd192.168.7.5255.255.255.0standby192.168.7.6FW5(config-if)#noshFW5(config-if)#exitFW5(config)#interfacee1FW5(config-if)#nameifinsideFW5(config-if)#ipadd192.168.5.5255.255.255.0standby192.168.5.6FW5(config-if)#noshFW5(config-if)#exitFW5(config)#interfacee2FW5(config-if)#nameifdmzFW5(config-if)#security-level50FW5(config-if)#ipadd192.168.8.5255.255.255.0standby192.168.8.6FW5(config-if)#noshFW5(config-if)#exitFW6(备份设备)FW6(config)#interfacee3FW6(config-if)#noshFW6(config-if)#exit(打开状态线)FW6(config)#failoverlanenable(启用lanbase)FW6(config)#failoverlanunitsecondary(指定该设备为辅助设备)FW6(config)#failoverlaninterfacebluefoxe3(指定Failover线)FW6(config)#failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6FW6(config)#failover(启用Failover)测试与分析:FW5FW6FW5由以上各图知FW5为主、FW6为备份设备.在FW6上手动抢占FW6已成为主设备。FW6切换为辅助设备以下为各个设备的详细配置:FW5interfaceEthernet0nameifoutsidesecurity-level0ipaddress192.168.7.5255.255.255.0standby192.168.7.6interfaceEthernet1nameifinsidesecurity-level100ipaddress192.168.5.5255.255.255.0standby192.168.5.6interfaceEthernet2nameifdmzsecurity-level50ipaddress192.168.8.5255.255.255.0standby192.168.8.6interfaceEthernet3descriptionLAN/STATEFailoverInterfaceaccess-list100extendedpermitipanyanyfailoverfailoverlanunitprimaryfailoverlaninterfacebluefoxEthernet3failoverlanenablefailoverlinkbluefoxEthernet3failoverinterfaceipbluefox192.168.6.5255.255.255.0standby192.168.6.6access-group100ininterfaceoutsideaccess-group100ininterfacedmzrouteoutside0.0.0.00.0.0.0192.168.7.71routeinside192.168.10.0255.255.255.0192.168.5.1001routeinside192.168.20.0255.255.255.0192.168.5.1001routedmz192.168.30.0255.255.255.0192.168.8.41routedmz192.168.40.0255.255.255.0192.168.8.41SW1spanning-treevlan1priority0spanning-treevlan10priority0spanning-treevlan20priority0interfacePort-channel1switchportmodetrunkinterfaceFastEthernet1/1switchportaccessvlan5interfaceFastEthernet1/2switchportaccessvlan6interfaceFastEthernet1/3switchportmodetrunkchannel-group1modeoninterfaceFastEthernet1/4switchportmodetrunkchannel-group1modeoninterfaceFastEthernet1/5switchporttrunkallowedvlan1-4,7-1005switchportmodetrunkinter...
