1,搞清關(guān)于“主”“備”的幾個概念: Failover Link Failover Link用于設(shè)備間相互溝通彼此的工作狀態(tài),F(xiàn)ailover link上傳遞的信息包括: o 設(shè)備的當(dāng)前狀態(tài) (active和standby) o 電源狀態(tài) (基于專用failover電纜的才有) o Hello信息包 (也通過所有其它端口發(fā)送) o Active設(shè)備向Standby設(shè)備傳遞配置(稱為配置同步)
Failover link可以使用兩種介質(zhì)(構(gòu)成不同的failover形式) o 基于專用電纜 ("cable-based failover")—兩設(shè)備間距離不超過6英尺(約1.83米)時,建議使用這種方式。因為設(shè)備可以通過此電纜感知對方的電源狀態(tài),而且能分辨出是設(shè)備斷電還是根本沒插電源線。Failover電纜是一種改進的RS-232串行電纜(115 Kbps),一端標(biāo)有" o 基于以太網(wǎng) ("LAN-based failover")—可以使用設(shè)備上任意未占用的以太口,當(dāng)兩設(shè)備間距離超過6英尺(約1.83米)時,請用這種方式。注重,此方式一定要通過交換機(推薦使用單獨的交換機)進行連接,而不能通過交叉線直接連接兩機的以太口。
4,配置示例 例1 Cable-Based Failover Configuration interface ethernet0 100full interface ethernet1 100full interface ethernet2 shutdown interface ethernet3 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet3 state security20 enable passWord farscape encrypted password crichton encrypted telnet 192.168.2.45 255.255.255.255 hostname pixfirewall ip address outside 209.165.201.1 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address state 192.168.253.1 255.255.255.252 failover ip address outside 209.165.201.2 failover ip address inside 192.168.2.2 failover ip address state 192.168.253.2 failover link state failover global (outside) 1 209.165.201.3 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0 access-list acl_out permit tcp any 209.165.201.5 eq 80 access-group acl_out in interface outside route outside 0 0 209.165.201.4 1
例2 LAN-Based Failover Configuration Primary設(shè)備: interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 failover security10 nameif ethernet3 state security20 enable password farscape encrypted password crichton encrypted telnet 192.168.2.45 255.255.255.255 hostname pixfirewall ip address outside 209.165.201.1 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address failover 192.168.254.1 255.255.255.0 ip address state 192.168.253.1 255.255.255.252 failover ip address outside 209.165.201.2 failover ip address inside 192.168.2.2 failover ip address failover 192.168.254.2 failover ip address state 192.168.253.2 failover link state failover lan unit primary failover lan interface failover failover lan key 12345678 failover lan enable failover global (outside) 1 209.165.201.3 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0 access-list acl_out permit tcp any host 209.165.201.5 eq 80 access-group acl_out in interface outside route outside 0 0 209.165.201.4 1
Secondary 設(shè)備: interface ethernet2 100full nameif ethernet2 failover security10 ip address failover 192.168.254.1 255.255.255.0 failover ip address failover 192.168.254.2 failover lan unit secondary failover lan interface failover failover lan key 12345678 failover lan enable failover
