Part 1 - 前言
通过上篇文章《在思科ASA上部署Failover实例演示-上》中的介绍,想必大家对Cisco Failover技术已经有一定了解,并且可以完成Failover A/S模式的部署了,但是大家有没有想过一个问题,Failover A/S 模式中,我们两台ASA设备,一台Active,转发流量,一台Standby,做备份。这样部署,Standby设备如果在未发生故障切换的情况下就处于闲置状态。
那么,有没有一种部署方式,能让Standby设备也利用起来,转发流量?答案是“肯定有”,本文将为大家介绍Failover A/A技术是如何实现高可靠性,并且达到设备充分利用
Part 2 - Active-Active模式的工作原理
一. 部署Active-Active模式时的注意事项
-
Failover A/A只能应用在多模式(multiple context)防火墙中。在一个Failover A/A 配置中,两个ASA能够同时工作且传输网络流量。
-
在Failover A/A配置中可以把context划分到failover group,一个failover group中包含一个或多个context,最多可以创建两个failover group,默认的admin context永远属于Group 1,没有分配的context默认也属于failover group1
-
一个物理ASA只会在一个failover group中成为Active
图1:Failover A/A模式
注:如图1所示,Failover Group 1中子防火墙Context A和 Context C为Active,Context B为Standby,Failover Group 2中子防火墙Context A和 Context C为Standby,Context B为Active。
图1:Failover A/A模式
二. License要求
注:ASA必须开启multiple模式
| 设备型号 | License 要求 |
|---|---|
| ASA 5505 | 不支持 |
| ASA 5510 | Security Plus License |
| 其他 | Base License |
三. Failover A/A链路类型
- LAN-Based Failover link:检测每个单元的运行状态并同步配置信息,使用独立接口充当。
- Stateful Failover Link:同步状态化信息到Standby设备,可与其他接口共享,Cisco推荐使用单独接口
图2:Failover A/A链路类型
图2:Failover A/A链路类型
四. Failover A/A中Active context(子防火墙)角色选举
-
当两台设备都为健康状态
- 当从FO接口检测到一个正在协商的设备,本地Failover Group配置的Primary设备将成为Active。
- 当从FO接口检测到一个设备在两个Failover Group中都是Active,此设备在两个Failover Group中都将变为Standby
- 当从FO接口未检测到设备,此设备在两个Failover Group中都为Active
-
当只有一台设备为健康状态
- 健康的设备在两个Failover Group中均为Active
五. Failover A/A故障切换
- Failover 发生在设备或context层面上
- 当一个物理设备中的Active成员出现故障,另外一台物理设备中相同Failover Group的Standby成员将成为Active。
- 切换过程中Primary/Secondary身份不变
- 切换后,IP和MAC在组成员之间交换。(同A/S模式,可参考“在思科ASA上部署Failover实例演示-上”篇)
图3:Failover A/A切换
注:当Failover Group 1中子防火墙Context A和Context C故障,这时候会在Failover Group 2中把Context A和 Context C切换成Active。
图3:Failover A/A切换
Part 3-实验
一. 实验拓扑
实验拓扑图
二. 实验需求
在ASA1与ASA2间部署状态化的Failover Active-Active模式,让PC1和PC2可以telnet 到R1上,当ASA1或ASA2中任何一方出现故障,流量自动切换到另一方
三. 设备及IP地址说明
- ASA1和ASA2中各自创建Failover Group 1和Failover Group 2,Context C1加入到Failover Group 1, Context C2加入Failover Group 2。
| Failover Group | ASA1 | ASA2 | Context |
|---|---|---|---|
| 1 | Active | Standby | C1 |
| 2 | Standby | Active | C2 |
- ASA1和ASA2中子防火墙接口分配情况
| 设备 | 接口 | 命名 |
|---|---|---|
| C1 | Ethernet 0 | outside |
| C1 | Ethernet 3 | inside |
| C2 | Ethernet 1 | outside |
| C2 | Ethernet 2 | inside |
| C3 | Ethernet 6 | LAN-Based Failover |
| C3 | Ethernet 7 | Stateful Failover Link |
- VLAN规划情况
| 交换机 | VLAN | 接口 |
|---|---|---|
| SW1 | VLAN 2 | Ethernet 0/0 Ethernet 0/2 Ethernet 1/0 |
| SW1 | VLAN 3 | Ethernet 0/1 Ethernet 1/1 Ethernet 0/3 |
| SW2 | VLAN 2 | Ethernet 0/1 Ethernet 1/1 Ethernet 0/3 |
| SW2 | VLAN 3 | Ethernet 0/0 Ethernet 0/2 Ethernet 1/0 |
- IP地址规划情况
| 设备 | 接口 | IP地址 |
|---|---|---|
| ASA1 | Ethernet 0 | 200.100.1.10/24 |
| ASA1 | Ethernet 1 | 200.100.2.20/24 |
| ASA1 | Ethernet 2 | 192.168.2.20/24 |
| ASA1 | Ethernet 3 | 192.168.1.10/24 |
| ASA1 | Ethernet 6 | 67.67.67.1/24 |
| ASA1 | Ethernet 7 | 77.77.77.1/24 |
| ASA2 | Ethernet 0 | 200.100.1.20/24 |
| ASA2 | Ethernet 1 | 200.100.2.10/24 |
| ASA2 | Ethernet 2 | 192.168.2.10/24 |
| ASA2 | Ethernet 3 | 192.168.1.20/24 |
| ASA2 | Ethernet 6 | 67.67.67.2/24 |
| ASA2 | Ethernet 7 | 77.77.77.2/24 |
| R1 | Ethernet 0/0 | 200.100.1.1/24 |
| R1 | Ethernet 0/1 | 200.100.2.1/24 |
| PC1 | Ethernet 0 | 192.168.1.1/24 |
| PC2 | Ethernet 0 | 192.168.2.1/24 |
四、实验配置
Step 1:路由器上的基础配置
- 配置接口IP地址
| 接口 | IP地址 |
|---|---|
| Ethernet 0/0 | 200.100.1.1/24 |
| Ethernet 0/1 | 200.100.2.1/24 |
- 配置去往inside方向的路由
ip route 192.168.1.0 255.255.255.0 200.100.1.10
ip route 192.168.2.0 255.255.255.0 200.100.2.10
- 开启Telnet服务
line vty 0 4
password cisco
login
transport input telnet
Step 2:交换机上的基础配置
- 将SW1上的接口划分进相应的VLAN
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
switchport access vlan 3
interface Ethernet1/0
switchport access vlan 2
interface Ethernet1/1
switchport access vlan 3
- 将SW2上的接口划分进相应的VLAN
interface Ethernet0/0
switchport access vlan 3
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 2
interface Ethernet1/0
switchport access vlan 3
interface Ethernet1/1
switchport access vlan 2
Step 3:将ASA1和ASA2模式配置为multiple,配置完等待自动重启
mode multiple
Step 4:创建Failover Group
以下所有配置只需要在ASA1中配置,ASA2上的配置会跟ASA1自动同步
- 在ASA1上开启所有需要使用的接口
interface Ethernet0
no shutdown
interface Ethernet1
no shutdown
interface Ethernet2
no shutdown
interface Ethernet3
no shutdown
interface Ethernet6
no shutdown
interface Ethernet7
no shutdown
- 在ASA1上创建Failover Group,并指定身份,同时开启抢占功能(默认情况抢占功能关闭)
failover group 1
primary
preempt
failover group 2
secondary
preempt
Step 5:配置Context
- 在ASA1上创建Context C1和Context C2,并将Ethernet 0 和Ethernet 3关联到 C1,Ethernet 1和Ethernet 2关联到C2.,然后将C1加入到Failover Group 1,将C2加入到Failover Group2.
context C1
allocate-interface Ethernet0
allocate-interface Ethernet3
join-failover-group 1
context C2
allocate-interface Ethernet1
allocate-interface Ethernet2
join-failover-group 2
- 指定管理Context和普通Context(C1和C2)的配置保存路径
注:在配置其他虚拟防火墙之前需要配置管理防火墙,它的作用主要是提供网络资源的连通性比如AAA、日志服务器,需要配置IP,管理员可以通过它切换管理其他虚拟墙。当ASA从单模(物理墙)转换成多模(虚拟防火墙)时,原来的网络文件会被存储在admin虚拟防火墙中
admin-context admin
context admin
config-url disk0:/admin.cfg
Context C1
config-url disk0:/C1.cfg
Context C2
config-url disk0:/C2.cfg
Step 6:虚拟子墙(Context)基础配置
- 配置ASA1中Context C1关联的接口的相关参数:
- 接口名称
- 安全级别
- 指定Active端和Standby端的IP地址
interface Ethernet0
nameif outside
security-level 0
ip address 200.100.1.10 255.255.255.0 standby 200.100.1.20
interface Ethernet3
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.20
- 配置ASA1中Context C2关联的接口的相关参数:
- 接口名称
- 安全级别
- 指定Active端和Standby端的IP地址
interface Ethernet1
nameif outside
security-level 0
ip address 200.100.2.10 255.255.255.0 standby 200.100.2.20
interface Ethernet2
nameif inside
security-level 100
ip address 192.168.2.10 255.255.255.0 standby 192.168.2.20
Step 7:配置Failover的相关参数
- 将ASA1配置为Primary设备,然后指定LAN-Based Failover和Stateful Failover接口和IP地址。
failover lan unit primary
failover lan interface FO Ethernet6
failover link Stateful Ethernet7
failover interface ip FO 66.66.66.1 255.255.255.0 standby 66.66.66.2
failover interface ip Stateful 77.77.77.1 255.255.255.0 standby 77.77.77.2
failover
- 将ASA2配置为Secondary设备,然后指定LAN-Based Failover和Stateful Failover接口和IP地址。
interface Ethernet 6
no shutdown
interface Ethernet 7
no shutdown
failover lan unit secondary
failover lan interface FO Ethernet6
failover link Stateful Ethernet7
failover interface ip FO 66.66.66.1 255.255.255.0 standby 66.66.66.2
failover interface ip Stateful 77.77.77.1 255.255.255.0 standby 77.77.77.2
failover
五、实验验证
- 查看Failover状态,Failover Group 1中ASA1为C1的Active,ASA2为Standby在Failover Group 2中ASA2为C2的Active,ASA1为Standby
ASA1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO Ethernet6 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Group 1 last failover at: 15:39:33 UTC Jan 17 2019
Group 2 last failover at: 15:34:07 UTC Jan 17 2019
This host: Primary
Group 1 State: Active
Active time: 1306 (sec)
Group 2 State: Standby Ready
Active time: 255 (sec)
C1 Interface outside (200.100.1.10): Normal (Monitored)
C1 Interface inside (192.168.1.10): Normal (Monitored)
C2 Interface outside (200.100.2.20): Normal (Monitored)
C2 Interface inside (192.168.2.20): Normal (Monitored)
Other host: Secondary
Group 1 State: Standby Ready
Active time: 54 (sec)
Group 2 State: Active
Active time: 1099 (sec)
C1 Interface outside (200.100.1.20): Normal (Monitored)
C1 Interface inside (192.168.1.20): Normal (Monitored)
C2 Interface outside (200.100.2.10): Normal (Monitored)
C2 Interface inside (192.168.2.10): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : Stateful Ethernet7 (up)
Stateful Obj xmit xerr rcv rerr
General 211 0 190 0
sys cmd 181 0 180 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 14 0 7 0
UDP conn 9 0 0 0
ARP tbl 2 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 5 0 1 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 3 1552
Xmit Q: 0 3 217
- 测试PC1和PC2的连通性
PC1#telnet 200.100.1.1
Trying 200.100.1.1 ... Open
User Access Verification
Password:
PC2#telnet 200.100.2.1
Trying 200.100.2.1 ... Open
User Access Verification
Password:
- 当SW1连接ASA1上Failover Group 1中的Ethernet 0接口出现故障,观察Failover状态变化,此时ASA2将成为Failover Group 1中的Active。PC1访问R1的流量依然正常。
将SW1的E0/0接口shutdown:
interface Ethernet0/0
shutdown
在ASA1上查看failover的状态
ASA1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO Ethernet6 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Group 1 last failover at: 15:53:53 UTC Jan 17 2019
Group 2 last failover at: 15:34:07 UTC Jan 17 2019
This host: Primary
Group 1 State: Failed
Active time: 1386 (sec)
Group 2 State: Standby Ready
Active time: 255 (sec)
C1 Interface outside (200.100.1.20): Failed (Waiting)
C1 Interface inside (192.168.1.20): Normal (Monitored)
C2 Interface outside (200.100.2.20): Normal (Monitored)
C2 Interface inside (192.168.2.20): Normal (Monitored)
Other host: Secondary
Group 1 State: Active
Active time: 80 (sec)
Group 2 State: Active
Active time: 1208 (sec)
C1 Interface outside (200.100.1.10): Normal (Waiting)
C1 Interface inside (192.168.1.10): Normal (Waiting)
C2 Interface outside (200.100.2.10): Normal (Monitored)
C2 Interface inside (192.168.2.10): Normal (Monitored)
PC1#telnet 200.100.1.1
Trying 200.100.1.1 ... Open
User Access Verification
Password:
- 当SW1接口恢复,因为开启了抢占功能,ASA1将重新成为Failover Group 1中 Context C1的Active角色
将SW1的E0/0重新开启
interface Ethernet0/0
no shutdown
在ASA1上查看failover的状态
ASA1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO Ethernet6 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Group 1 last failover at: 15:54:48 UTC Jan 17 2019
Group 2 last failover at: 15:34:07 UTC Jan 17 2019
This host: Primary
Group 1 State: Active
Active time: 1511 (sec)
Group 2 State: Standby Ready
Active time: 255 (sec)
C1 Interface outside (200.100.1.10): Normal (Monitored)
C1 Interface inside (192.168.1.10): Normal (Monitored)
C2 Interface outside (200.100.2.20): Normal (Monitored)
C2 Interface inside (192.168.2.20): Normal (Monitored)
Other host: Secondary
Group 1 State: Standby Ready
Active time: 111 (sec)
Group 2 State: Active
Active time: 1363 (sec)
C1 Interface outside (200.100.1.20): Normal (Monitored)
C1 Interface inside (192.168.1.20): Normal (Monitored)
C2 Interface outside (200.100.2.10): Normal (Monitored)
C2 Interface inside (192.168.2.10): Normal (Monitored)
网友评论