PIX–failover

Failover概述Failover与我们前面学习的HSRP很像，都可以说是提供故障恢复的功能。1.Active与Standby设备的健康状况是通过LAN-FO接口来监控的（类似于心跳线，也是通过一条线来连接两个PIX，实现状态监控、复制配置、状态转移）；两个设备一个被配置为Primary设备，另一个作为Secondary设备（Primary和Secondary是一个物理概念）；一个设备被选为Active（转发流量），另一个被选为Standby（等待、备份）。两个状态为逻辑概念；如何成为Active？当一台防火墙启动的时候，就开始了一个选举的进程（以下都是基于两台设备为健康状态）如果检测多一个正在协商的设备处于FO的另一端，此时Primary设备成为Active状态并转发数据，Secondary设备成为Standby状态，成为备份设备；如果检测到一个Active设备，自己转换为Standby状态；如果在FO的另一端没有检测到设备，自己成为Active状态；如果成为Active后，检测到FO另一端有Active设备，两台设备重新协商。注：Primary、Secondary与Active、Standby的区分？Primary、Secondary是物理概念，指的是物理设备本身在Failover中所处的角色；Active、Standby是逻辑概念，指的是设备的状态，是否处于转发数据的状态；Active状态不一定指的是Primary设备，也可以是Secondary设备，Standby状态同理。2.如何切换正常切换Active设备出现故障时，处于Standby的设备（如果是健康的）将成为Active转发数据。切换发生时Standby设备在所有接口上继承原来Active设备的属性（IP和MAC）；但是，FO一台口上的地址保持不变。3.管理只需在Active设备上进行配置即可；active设备上的配置都会自动被复制到Standby设备上；通过Standby设备的standby IP可以对此设备进行基本的监控和管理4.部署Failover设备的必要条件硬件需求相同硬件型号；相同数量和类型的接口；相同类型的SSM模块；相同内存。软件需求相同操作模式；相同主板和子版本。授权需求不必一样的授权，只需FO授权即可。5.部署方式注：是针对FO接口来说的无状态化FO仅仅只是普通的硬件冗余而已；当故障切换发生时，所有已经建立的连接中断，必须重新连接。状态化FO提供更加强大的冗余—状态会话表项的冗余；故障切换时，连接依旧保持；用户不必重新连接；两个设备之间需要提供一个状态换链路（LAN-FO之外的其他链路）6.接口类型LAN-FO接口：确定每一个设备的运行状态并复制和同步配置；LAN-FO接口（状态化接口）：传递状态信息到Standby设备，可以是一个独立接口，也可以和其他接口共享，包括FO接口，但是不推荐，一般为独立接口。7.健康监控单元（即设备）健康监控通过监控FO链路来确认其他单元的健康状况；设备通过FO接口来交换Hello消息；当收不到来自与Active设备的响应时，切换发生。接口健康监控每个网络接口都可以被监控；设备通过控制接换Hello消息当Active设备上一个被指定为监控的接口出现故障时，切换发生。8.部署方针部署FO接口时，考虑如下的部署方针可以使用密钥来保护FO通讯如果状态化链路和FO链路共享接口，需要使用一个可用的高速率接口，最好不要让 状态化链路和普通数据接口共享一个物理接口；调整FO的各项参数来实现快速切换在Active和standby设备上手动置顶MAC地址，来阻止一些可能阻断网络流量的偶然事件在所有连接防火墙设备的交换机接口上，考虑配置快速端口（PortFast）。注：如果FO接口坏掉，那么Failover将不能实现故障恢复的功能，FO相当于整个Failover的心脏，具有不可替代的作用。配置实例一.实验目的了解Failover的原理、作用及使用；掌握Failover的状态化和无状态化的区别；理解并掌握Failover的LAN-FO接口的类型（两种状态）及其重要性；掌握Faiover的配置。二.实验拓扑如上：通过规划、配置，用两台PIX实现故障恢复功能。保证一台设备出问题之后另一台设备能继续工作。其中R1为Inside设备，R2为Outside设备三.实验步骤无状态化1.区域设备基本配置—————————————–R1配置———————————–R1(config)#inter fa0/0R1(config-if)#ip add 192.168.1.1 255.255.255.0R1(config-if)#no shutR1(config-if)#full-duplexR1(config-if)#exitR1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.253指默认路由到PIX>—————————————–R2配置———————————–R2(config)#inter fa0/0R2(config-if)#ip add 202.100.1.1 255.255.255.0R2(config-if)#no shutR2(config-if)#fuR2(config-if)#full-duplexR2(config-if)#exit2.Primary设备配置——————————————–接口初始化配置———————————-PIX1(config)# inter e0PIX1(config-if)# nameif insidePIX1(config-if)# ip add 192.168.1.253 255.255.255.0 standby 192.168.1.254配置主地址和Standby地址>PIX1(config-if)# no shutPIX1(config-if)# exit内部接口配置，默认级别为100>PIX1(config)# inter e1PIX1(config-if)# nameif outsidePIX1(config-if)# ip add 202.100.1.253 255.255.255.0 standby 202.100.1.254PIX1(config-if)# no shutPIX1(config-if)# exit外部接口配置，默认级别为0>———————————————–配置FO———————PIX1(config)# inter e2PIX1(config-if)# no shutPIX1(config-if)# exit启用接口>PIX1(config)# failover lan unit primary把本设备指定为Primary设备>PIX1(config)# failover免费云主机域名 lan interface FO e2指定接口E2为FO链路，接口名为FO，此配置要敲2遍才能生效>INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfacesPIX1(config)# failover lan interface FO e2PIX1(config)# failover key cisco设置FO之间传输的加密密钥>PIX1(config)# failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.1.2设置FO链路两端的IP地址>PIX1(config)# failover启用Failover>Secondary配置PIX2(config)# inter e2PIX2(config-if)# no shutPIX2(config-if)# exitPIX2(config)# failover lan unit secondaryPIX2(config)# failover lan interface FO e2INFO: Non-failover interface config is cleared on Ethernet2 and its sub-interfacesPIX2(config)# failover lan interface FO e2PIX2(config)# failover key ciscoPIX2(config)# failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.2PIX2(config)# failover配置完成后，两台设备开始协商选择Active，并同步配置State check detected an Active mateBeginning configuration replication from mate.End configuration replication from mate.点击回车完成>此时，无状态的failover已经完成。PIX2同步PIX1的配置后，自己主机名也成为PIX1，并复制所有PIX1的配置到自己。查看PIX状态—————————————查看PIX1状态——————–PIX1(config)# show failoverFailover OnCable status: N/A – LAN-based failover enabledFailover unit PrimaryFailover LAN Interface: FO Ethernet2 (up)Unit Poll frequency 15 seconds, holdtime 45 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 7.2(2), Mate 7.2(2)Last Failover at: 06:42:20 UTC Apr 8 2015 This host: Primary – Active Active time: 405 (sec) Interface inside (192.168.1.253): Normal Interface outside (202.100.1.253): Unknown (Waiting) Other host: Secondary – Standby Ready Active time: 120 (sec) Interface inside (192.168.1.254): Normal Interface outside (202.100.1.254): Unknown (Waiting)Stateful Failover Logical Update Statistics Link : Unconfigured.————————————————-查看PIX2状态—————————PIX1(config)# show failoverFailover OnCable status: N/A – LAN-based failover enabledFailover unit SecondaryFailover LAN Interface: FO Ethernet2 (up)Unit Poll frequency 15 seconds, holdtime 45 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 7.2(2), Mate 7.2(2)Last Failover at: 06:44:35 UTC Apr 8 2015 This host: Secondary – Standby Ready Active time: 120 (sec) Interface inside (192.168.1.254): Normal Interface outside (202.100.1.254): Unknown (Waiting) Other host: Primary – Active Active time: 480 (sec) Interface inside (192.168.1.253): Normal Interface outside (202.100.1.253): Unknown (Waiting)Stateful Failover Logical Update Statistics Link : Unconfigured.虽然PIX2的主机名变为了PIX1，但是根据状态我们还是能区分出来的>验证无状态化连接用R1telnet连接R2R2(config)#lin vty 0 4R2(config-line)#password gyhR2(config-line)#loginR2(config-line)#exitR1#telnet 202.100.1.1Trying 202.100.1.1 … OpenUser Access VerificationPassword:R2>连接成功>——————————————–将R3-SW的fa1/1接口down——————————R3-SW(config)#inter fa1/1R3-SW(config-if)#shutR3-SW(config-if)#*Mar 1 01:20:49.651: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down*Mar 1 01:20:50.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down——————————————–查看R1的telnet连接状况——————————–R2>[Connection to 202.100.1.1 closed by foreign host]连接直接中断>———————————————-查看PIX状态————————PIX1(config)# Switching to StandbyPIX1(config)# Switching to Active变为standby，PIX2变为Active>PIX1(config)# show failoverFailover OnCable status: N/A – LAN-based failover enabledFailover unit PrimaryFailover LAN Interface: FO Ethernet2 (up)Unit Poll frequency 15 seconds, holdtime 45 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 7.2(2), Mate 7.2(2)Last Failover at: 08:05:36 UTC Apr 8 2015 This host: Primary – Failed Active time: 2595 (sec) Interface inside (192.168.1.254): Failed (Waiting) Interface outside (202.100.1.254): Normal Other host: Secondary – Active Active time: 2340 (sec) Interface inside (192.168.1.253): Normal (Waiting) Interface outside (202.100.1.253): Normal Stateful Failover Logical Update Statistics Link : Unconfigured.PIX1(config)# show failoverFailover On Cable status: N/A – LAN-based failover enabledFailover unit SecondaryFailover LAN Interface: FO Ethernet2 (up)Unit Poll frequency 15 seconds, holdtime 45 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 7.2(2), Mate 7.2(2)Last Failover at: 08:07:57 UTC Apr 8 2015 This host: Secondary – Active Active time: 2355 (sec) Interface inside (192.168.1.253): Normal (Waiting) Interface outside (202.100.1.253): Normal Other host: Primary – Failed Active time: 2595 (sec) Interface inside (192.168.1.254): Failed (Waiting) Interface outside (202.100.1.254): Normal Stateful Failover Logical Update Statistics Link : Unconfigured.变为standby，PIX2变为Active>状态化本实验在无状态化实验的基础上进行。恢复正常的网络，开启R3-SW的fa1/1接口R3-SW(config-if)#inter fa1/1R3-SW(config-if)#no shut*Mar 1 01:25:17.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up手动让PIX1恢复为active状态PIX1(config)# failover active Switching to Active不支持自动抢占Active的功能，所以需手动配置>PIX1(config)# show failoverFailover On Cable status: N/A – LAN-based failover enabledFailover unit PrimaryFailover LAN Interface: FO Ethernet2 (up)Unit Poll frequency 15 seconds, holdtime 45 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 7.2(2), Mate 7.2(2)Last Failover at: 08:09:10 UTC Apr 8 2015 This host: Primary – Active Active time: 2595 (sec) Interface inside (192.168.1.253): Normal (Waiting) Interface outside (202.100.1.253): Normal (Waiting) Other host: Secondary – Standby Ready Active time: 2475 (sec) Interface inside (192.168.1.254): Normal (Waiting) Interface outside (202.100.1.254): Normal (Waiting)Stateful Failover Logical Update Statistics Link : Unconfigured.设置LAN-FO（状态化）接口第一种情况:把LAN-FO接口设置成stateful接口PIX1(config)# failover link FO e2R1 telnet上R2R1#telnet 202.100.1.1Trying 202.100.1.1 … OpenUser Access VerificationPassword:R2>关闭R3-SW的fa1/1接口R3-SW(config-if)#inter fa1/1R3-SW(config-if)#shut*Mar 1 01:33:16.495: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down*Mar 1 01:33:17.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down查看设备的Failover状态PIX1(config)# show failoverFailover OnCable status: N/A – LAN-based failover enabledFailover unit PrimaryFailover LAN Interface: FO Ethernet2 (up)Unit Poll frequency 15 seconds, holdtime 45 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 7.2(2), Mate 7.2(2)Last Failover at: 08:46:42 UTC Apr 8 2015 This host: Primary – Failed Active time: 75 (sec) Interface inside (192.168.1.254): Failed (Waiting) Interface outside (202.100.1.254): Normal Other host: Secondary – Active Active time: 180 (sec) Interface inside (192.168.1.253): Normal (Waiting) Interface outside (202.100.1.253): Normal Stateful Failover Logical Update Statistics Link : FO Ethernet2 (up) Stateful Obj xmit xerr rcv rerr General 37 0 36 0 sys cmd 33 0 33 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 2 0 3 0 UDP conn 0 0 0 0 ARP tbl 2 0 0 0 Xlate_Timeout 0 0 0 0 IKE upd 0 0 0 0 IPSEC upd 0 0 0 0 CTCP upd 0 0 0 0 SDI upd 0 0 0 0 DHCP upd 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 229 Xmit Q: 0 2 94在R1上回车，看连接R2的状态是否中断R2>R2>R2>R2>R2>连接正常>注：把stateful与FO接口设置成一条链路是我们不推荐的，所以，尽管这种方法可行，一般不使用。第二种情况:另接一条线，设置成stateful接口(FO链路与stateful链路分开)PIX1(config)# inter e3PIX1(config-if)# no shutPIX1(config)# failover link stateful e3注：使用此命令时，会报ERROR:Nochangetothestatefulinterface的错误，但是命令依然可以起到作用，可以show run查看。这是模拟器的问题。请继续试验。>PIX1(config)# failover interface ip stateful 172.16.10.10 255.255.255.0 standby 172.16.10.11验证R1 telnet上R2R1#telnet 202.100.1.1Trying 202.100.1.1 … OpenUser Access VerificationPassword:R2>关闭R3-SW的fa1/1接口R3-SW(config-if)#inter fa1/1R3-SW(config-if)#shut*Mar 1 01:33:16.495: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down*Mar 1 01:33:17.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down查看设备的Failover状态PIX1(config)# show failoverFailover OnCable status: N/A – LAN-based failover enabledFailover unit PrimaryFailover LAN Interface: FO Ethernet2 (up)Unit Poll frequency 15 seconds, holdtime 45 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 7.2(2), Mate 7.2(2)Last Failover at: 08:46:42 UTC Apr 8 2015 This host: Primary – Failed Active time: 75 (sec) Interface inside (192.168.1.254): Failed (Waiting) Interface outside (202.100.1.254): Normal Other host: Secondary – Active Active time: 180 (sec) Interface inside (192.168.1.253): Normal (Waiting) Interface outside (202.100.1.253): Normal Stateful Failover Logical Update Statistics Link : FO Ethernet2 (up) Stateful Obj xmit xerr rcv rerr General 37 0 36 0 sys cmd 33 0 33 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 2 0 3 0 UDP conn 0 0 0 0 ARP tbl 2 0 0 0 Xlate_Timeout 0 0 0 0 IKE upd 0 0 0 0 IPSEC upd 0 0 0 0 CTCP upd 0 0 0 0 SDI upd 0 0 0 0 DHCP upd 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 229 Xmit Q: 0 2 94在R1上回车，看连接R2的状态是否中断R2>R2>R2>R2>R2>连接正常>

相关推荐: 在linux上c编程软件是什么

这篇文章主要介绍了在linux上c编程软件是什么的相关知识，内容详细易懂，操作简单快捷，具有一定借鉴价值，相信大家阅读完这篇在linux上c编程软件是什么文章都会有所收获，下面我们一起来看看吧。 linux上c编程软件有：1、eclipse，能够为C和C++程…