标签:asa 安全 防火墙
冗余接口
对多8个冗余接口对(使用第一添加的接口mac),介质要一样,切换时,新主用接口发免费ARP更新CAM表,冗余接口同时只有一个在工作(浪费资源)。
ASA(config)# int redundant 1 ASA(config-if)# member-interface g0/0 ASA(config-if)# member-interface g0/1 ASA(config-if)# exit ASA(config)# show int redundant 1 Member GigabitEthernet0/0(Active), GigabitEthernet0/1 ASA(config)# int g0/0 //把主口down了 ASA(config-if)# shutdown ASA(config)# show int redundant 1 //备口启用了 Member GigabitEthernet0/1(Active), GigabitEthernet0/1 ASA(config)# int g0/ //把原来的主口 g0/0启用 ASA(config-if)# no shutdown ASA(config)# show int redundant 1 //主备口不具备抢占特性,源主口no shutdown后并没有1切回 Member GigabitEthernet0/1(Active), GigabitEthernet0/0 //任然是在用g0/1 ASA(config-if)# redundant-interface redundant 1 active-member g0/0 //此时可以手动切回g0/0 ASA(config-if)# show int redundant 1 Member GigabitEthernet0/0(Active), GigabitEthernet0/1
EtherChannel
1、最多8个捆绑一组
2、端口功能相同(duplex,speed.....)
3、具有load-balancing和HA功能
4、可以部署交换机间和服务器与交换机间(需要设备支持channel即可--802.3ad--LACP)
5、vPC(virtual port channels) 允许多个设备共享接口(需要设备支持vpc)
6、vpc最大利用了带宽,原由:每个port channel,在spanning-tree 中当作一个接口,也就不存在环路,没有端口被block
传统channel:
vpc:
ciscoasa(config)# int g0 ciscoasa(config-if)# channel-group 1 mode active //添加接口到 channel组 1 中 ciscoasa(config-if)# int g1 ciscoasa(config-if)# channel-group 1 mode active ciscoasa(config-if)# exit ciscoasa(config)# int port-channel 1 //为这个channel 设置nameif 安全级别 IP ciscoasa(config-if)# nameif DMZ ciscoasa(config-if)# security-level 50 ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 ciscoasa(config-if)# exit
ciscoasa# show interface port-channel 1 //查看 Interface Port-channel1 "DMZ", is down, line protocol is down Hardware is EtherChannel/LACP, BW 100 Mbps, DLY 100 usec (Full-duplex), (100 Mbps) Input flow control is unsupported, output flow control is unsupported MAC address 0000.ab9b.9a00, MTU 1500 IP address 10.1.1.1, subnet mask 255.255.255.0 Members in this channel: Inactive: Gi0 Gi1
ciscoasa# show port-channel 1 load-balance //查看负载均衡的方式 EtherChannel Load-Balancing Configuration: src-dst-ip //根据源目ip地址
ciscoasa(config)# int port-channel 1 ciscoasa(config-if)# port-channel load-balance ? interface mode commands/options: dst-ip Dst IP Addr dst-ip-port Dst IP Addr and TCP/UDP Port dst-mac Dst Mac Addr dst-port Dst TCP/UDP Port src-dst-ip Src XOR Dst IP Addr src-dst-ip-port Src XOR Dst IP Addr and TCP/UDP Port src-dst-mac Src XOR Dst Mac Addr src-dst-port Src XOR Dst TCP/UDP Port // 常用 src-ip Src IP Addr src-ip-port Src IP Addr and TCP/UDP Port src-mac Src Mac Addr src-port Src TCP/UDP Port vlan-dst-ip Vlan, Dst IP Addr vlan-dst-ip-port Vlan, Dst IP Addr and TCP/UDP Port vlan-only Vlan vlan-src-dst-ip Vlan, Src XOR Dst IP Addr vlan-src-dst-ip-port Vlan, Src XOR Dst IP Addr and TCP/UDP Port vlan-src-ip Vlan, Src IP Addr vlan-src-ip-port Vlan, Src IP Addr and TCP/UDP Port
设备冗余
Failover
ASA启动时,开始一个选举的进程
如果它检测到一个正在协商的设备处于FO接口的另一端,此时Primary设备成为Active状态, Secondary设备转到Standby状态
如果它检测到一个Active设备,它就转换成Standby状态
它如果没检测到设备,它将变为Active状态
当它成为active设备之后,检测到了另外一个active设备,那么这两个Active设备将重新协商FO的角色(此时可能会出现网络中断-mac的问题)
ASA出现故障切换时standby继承原active设备的属性(IP、MAC)
无状态化的FO:仅仅是提供硬件冗余
状态化的FO:提供硬件和状态化表项的冗余(也不是所有),两设备间需要一个状态化链路(建议在LAN-FO 之外加一条,流量比较大)
FO或被指定为监控的接口通过hello包确定其他单元的状态
状态化表项复制
部署FO时,考虑如下的部署方针:
可以使用密钥来保护FO通讯
如果状态化链路和FO链路共享接口,需要使用一个可用的高速率的接口,最好不要让状态化链路和普通的数据接口共享一个物理接口在所有连接防火墙设备的交换机接口上,考虑配置端口快速(PortFast)
配置
primary设备 ! interface GigabitEthernet0 nameif DMZ security-level 50 ip address 10.1.20.11 255.255.255.0 standby 10.1.20.22 ! interface GigabitEthernet1 nameif Inside security-level 100 ip address 10.1.10.11 255.255.255.0 standby 10.1.10.22 ! interface GigabitEthernet2 nameif Outside security-level 0 ip address 10.1.30.11 255.255.255.0 standby 10.1.30.22 ! ASA(config)#int g3 ASA(config-if)# no shu ASA(config)# failover lan unit primary ASA(config)# failover lan interface fo g3 ASA(config)# failover interface ip fo 10.1.1.11 255.255.255.0 standby 10.1.1.22 ASA(config)# failover key cisco ASA(config)# failover Beginning configuration replication: Sending to mate. //会把config 发给mate 同步 primary设备 ciscoasa(config)# int g3 ciscoasa(config-if)# no shu ciscoasa(config-if)# failover lan unit primary ciscoasa(config)# failover lan interface fo g3 ciscoasa(config)# failover key cisco ciscoasa(config)# failover interface ip fo 10.1.1.11 255.255.255.0 standby 10.1.1.22 ciscoasa(config)# failover Beginning configuration replication from mate. //从 mate同步信息,那些做的接口配置什么的都被 当已经发生切换后,ASA FO不支持自动抢占active,需手动配置 ASA(config)# failover active
ASA(config)# show runn failover failover failover lan unit primary failover lan interface fo GigabitEthernet3 failover polltime unit 2 holdtime 10 failover polltime interface 3 holdtime 15 failover key ***** failover mac address GigabitEthernet1 0001.0001.0001 0001.0001.0002 failover mac address GigabitEthernet0 0001.0002.0001 0001.0002.0002 failover mac address GigabitEthernet2 0001.0003.0001 0001.0003.0002 failover interface ip fo 10.1.1.11 255.255.255.0 standby 10.1.1.22
切换时间的调整
ASA(config)# failover polltime unit 2 holdtime 10 //更改心跳线的hello包为2s 超时时间为10s ASA(config)# failover polltime interface 3 holdtime 15 //更改接口hello包为3s 超时15s
配置固定的MAC地址
ASA(config)# failover mac address inside 1.1.1 1.1.2 //前面是active 后面是standby ASA(config)# failover mac address dmz 1.2.1 1.2.2 ASA(config)# failover mac address outside 1.3.1 1.3.2
更改切换触发条件
ASA(config)# monitor-interface Inside (针对某个接口启用健康监控,若受监控的接口fail,切换触发. ) ASA(config)# failover interface-policy 2 (针对具体的接口数目来定义切换条件(范围是1‐250),默认是1个就切换 ) ASA(config)# failover interface-policy 50% (针对接口总数的百分比来定义切换条件(范围1‐100%) )
同步状态化信息
ASA(config)# failover link fo GigabitEthernet3 //会同步状态化信息 ASA(config)# failover active //随便切换,一些需要状态表的连接不会断(如:Telnet,nat)
状态化信息
ASA(config)# show failover Failover On Failover unit Primary Failover LAN Interface: fo GigabitEthernet3 (up) Unit Poll frequency 2 seconds, holdtime 10 seconds Interface Poll frequency 3 seconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 60 maximum Version: Ours 8.4(2), Mate 8.4(2) Last Failover at: 11:55:46 UTC Jul 5 2016 This host: Primary - Active Active time: 6076 (sec) Interface DMZ (10.1.20.11): Normal (Monitored) Interface Inside (10.1.10.11): Normal (Monitored) Interface Outside (10.1.30.11): Normal (Monitored) Other host: Secondary - Standby Ready Active time: 346 (sec) Interface DMZ (10.1.20.22): Normal (Monitored) Interface Inside (10.1.10.22): Normal (Monitored) Interface Outside (10.1.30.22): Normal (Monitored) Stateful Failover Logical Update Statistics Link : fo GigabitEthernet3 (up) Stateful Obj xmit xerr rcv rerr General 101 0 95 0 sys cmd 91 0 91 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 6 0 4 0 UDP conn 0 0 0 0 ARP tbl 3 0 0 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 0 0 0 0 VPN IKEv1 P2 0 0 0 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Route Session 0 0 0 0 User-Identity 1 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 2 510 Xmit Q: 0 2 484
注意:负载均衡是通过相邻的路由器来实现的,且必须基于流的负载均衡(基于包的会有问题,表项难以建立).
返回流量需要做特殊处理,否则会出现异步路由问题(去与回不同路,而回路上的子墙是没有状态化表项,可能会阻止)
状态FO链路:FO口确定设备状态同步配置
独立接口 传递状态化信息
其他注意事项:
A/A的FO只有设备是多模模式才可使用ASA5505不支持A/A的Failover
A/A配置
步骤
1、初始化工作
inside //IP和路由设置 ! interface FastEthernet0/0 ip address 10.1.10.100 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.1.10.11 DMZ interface FastEthernet0/0 ip address 10.1.20.100 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.1.20.11 outside R3(config)#int f0/0 R3(config-if)#no shutdown R3(config-if)#exit R3(config)#int f0/0.10 R3(config-subif)#encapsulation dot1Q 10 R3(config-subif)#ip address 10.1.30.100 255.255.255.0 R3(config-subif)no shutdown R3(config-subif)#exit R3(config)#int f0/0.20 R3(config-subif)#encapsulation dot1Q 20 R3(config-subif)#ip address 10.1.40.100 255.255.255.0 R3(config-subif)no shutdown R3(config-subif)#exit R3(config)#ip route 10.1.10.0 255.255.255.0 10.1.30.11 R3(config)#ip route 10.1.20.0 255.255.255.0 10.1.40.11 ASA1 ciscoasa(config)# int g0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# int g1 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# int g2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# int g3 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# int g2.10 ciscoasa(config-subif)# vlan 10 ciscoasa(config-subif)# exit ciscoasa(config)# int g2.20 ciscoasa(config-subif)# vlan 20 ciscoasa(config-subif)# exit
2、子墙创建
ASA-1 配置
创建failover组,标明primary或second,以及设置抢夺 ciscoasa(config)# show runn failover no failover failover group 1 secondary preempt failover group 2 primary preempt ------------------------------------------------------------------------ ciscoasa(config)# show runn context admin-context admin //创建子墙,指定配置文件路径 context admin config-url disk0:/admin.cfg ! context c1 allocate-interface GigabitEthernet0 //为子墙添加端口 allocate-interface GigabitEthernet2.10 config-url disk0:/c1.cfg join-failover-group 1 //指定加入的failover 组 ! context c2 allocate-interface GigabitEthernet1 allocate-interface GigabitEthernet2.20 config-url disk0:/c2.cfg join-failover-group 2 ! ----------------------------------------------------------------------- ASA(config)# changeto c1 //配置 ASA c1接口 ASA/c1(config)# show runn interface ! interface GigabitEthernet0 nameif inside security-level 100 ip address 10.1.10.11 255.255.255.0 standby 10.1.10.22 ! interface GigabitEthernet2.10 nameif ouside security-level 0 ip address 10.1.30.11 255.255.255.0 standby 10.1.30.22 ----------------------------------------------------------------------- ASA(config)# changeto c2 //配置 ASA c1接口 ASA/c2(config)# show runn interface ! interface GigabitEthernet1 nameif inside security-level 100 ip address 10.1.20.11 255.255.255.0 standby 10.1.20.22 ! interface GigabitEthernet2.20 nameif outside security-level 0 ip address 10.1.40.11 255.255.255.0 standby 10.1.40.22 -------------------------------------------------------------------- ASA/c2(config)# changeto system ASA(config)# show running-config failover // 配置failover system信息 no failover //主要是 lan 链路(心跳线)、key failover lan unit primary //和link链路(状态化同步) failover lan interface fo GigabitEthernet3 failover polltime unit 2 holdtime 10 failover polltime interface 3 holdtime 15 failover key cisco failover mac address GigabitEthernet1 0001.0001.0001 0001.0001.0002 failover mac address GigabitEthernet0 0001.0002.0001 0001.0002.0002 failover mac address GigabitEthernet2 0001.0003.0001 0001.0003.0002 failover interface ip fo 10.1.1.11 255.255.255.0 standby 10.1.1.22 failover link fo GigabitEthernet3 //这个fo 得和上面一样才能表示共用g3 failover group 1 secondary preempt failover group 2 primary preempt ASA(config)# failover //最后激活 ---------------------------------------------------------------------------------------
ASA-2 配置
配置key lan link即可 ASA(config)# no failover ASA(config)# int g3 ASA(config-if)# shutdown ASA(config-if)# exit ASA(config)# failover lan unit secondary //指定设备为secondary ASA(config)# failover key cisco ASA(config)# failover lan interface fo g3 ASA(config)# failover link fo g3 ASA(config)# failover interface ip fo 10.1.1.11 255.255.255.0 standby 10.1.1.22 ASA(config)# failover -----------------------------------------------------------------
ASA(config)# prompt hostname context state priority //方便看当前信息
.....................待续
本文出自 “Try” 博客,请务必保留此出处http://beening.blog.51cto.com/9079117/1796124
标签:asa 安全 防火墙
原文地址:http://beening.blog.51cto.com/9079117/1796124
