Download - Thực hiện Failover với Active
-
8/13/2019 Thc hin Failover v i Active
1/11
1
Thc hin Failover vi Active/Active LabPro
Thc hin Failover vi Active/Active
I. M t: Thc hin Failover Active/Active, tnh nng ny cho php cung cp tnh d phng v cnbng ci trn c hai thit b ng thi. Kt hp vi tnh nng context cho php mt thit b ng vai tr Active ca context nynhng Standby cho context khc. m bo lung d liu thuc mi context s c x lbi nhng thit b ring bit.
Thc hin bi Lab theo yu cu: To hai context CT01 v CT02. CT01
Cng Inside:192.168.1.0/24 Cng outside:192.168.3.0/24
CT02
Cng inside:192.168.2.0/24 Cng outside:192.168.3.0/24
To hai Failover Group 1 v 2
CT01 thuc Group 1 CT02 thuc Group 2
Thit b Primary ng vai tr active cho Group 1 Thit b Secondary ng vai tr active cho Group 2
-
8/13/2019 Thc hin Failover v i Active
2/11
2
II. Cu hnh 1. Cu hnh trn Primary ciscoasa(config)# mode multipleciscoasa(config)# failover lan interface FAILOVER e0/3ciscoasa(config)# failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby172.16.1.2
ciscoasa(config)# failover lan unit primarynh ngha failover group ciscoasa(config)# failover group 1Cho php ly li quyn active ciscoasa(config-fover-group)# preemptciscoasa(config-fover-group)# primaryciscoasa(config)# failover group 2ciscoasa(config-fover-group)# secondarynh ngha context ciscoasa(config)# context CT01ciscoasa(config-ctx)# config-url flash:/CT01.cfgciscoasa(config-ctx)# allocate-interface e0/0 e0ciscoasa(config-ctx)# allocate-interface e0/2 e1Gn context vo nhm ciscoasa(config-ctx)# join-failover-group 1
ciscoasa(config)# context CT02ciscoasa(config-ctx)# config-url flash:/CT02.cfgciscoasa(config-ctx)# allocate-interface e0/1 e0ciscoasa(config-ctx)# allocate-interface e0/2 e1ciscoasa(config-ctx)# join-failover-group 1
Cu h nh CT01 ciscoasa(config)# changeto context CT01ciscoasa/CT01(config)# interface e0
ciscoasa/CT01(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2ciscoasa/CT01(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.ciscoasa/CT01(config-if)# ip address 192.168.3.1 255.255.255.0 standby 192.168.3.2ciscoasa/CT01(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default.ciscoasa/CT01(config)# nat (inside) 1 192.168.1.0 255.255.255.0ciscoasa/CT01(config)# global (outside) 1 interfaceciscoasa/CT01(config)# access-list ICMP permit icmp any anyciscoasa/CT01(config)# access-group ICMP in interface outsideciscoasa/CT01(config)# route outside 0 0 192.168.3.10
Cu hnh CT02 ciscoasa(config)# changeto context CT02ciscoasa/CT02(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2ciscoasa/CT02(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.ciscoasa/CT02(config-if)# ip address 192.168.3.3 255.255.255.0 standby 192.168.3.4ciscoasa/CT02(config-if)# nameif outsideINFO: Security level for "outside" set to 0 by default.ciscoasa/CT02(config)# nat (inside) 1 192.168.2.0 255.255.255.0ciscoasa/CT02(config)# global (outside) 1 interface
-
8/13/2019 Thc hin Failover v i Active
3/11
3
ciscoasa/CT02(config)# access-list ICMP permit icmp any anyciscoasa/CT02(config)# access-group ICMP in interface outsideciscoasa/CT02(config)# route outside 0 0 192.168.3.10
ciscoasa(config)# mac-address auto2. Cu hnh trn Secondary
ciscoasa(config)# mode multipleciscoasa(config)# failover lan interface FAILOVER e0/3ciscoasa(config)# failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby172.16.1.2ciscoasa(config)# failover lan unit secondary
Thc hin cu lnh failover trn Prima ry, m bo Primary ang ng vai tr Active cho chai Groupciscoasa(config)# failoverciscoasa(config)# sh failover state
State Last Failure Reason Date/TimeThis host - Primary Group 1 Active Ifc Failure 10:25:07 UTC Apr 2 2009Group 2 Active NoneOther host - SecondaryGroup 1 Not Detected Comm Failure 10:27:37 UTC Apr 2 2009Group 2 Not Detected Comm Failure 10:27:37 UTC Apr 2 2009
Tip tc thc hin cu lnh failover trn Secondary.ciscoasa(config)# failover
Primary thc hin ng b cu hnh vi Secondary
Beginning configuration replication: Sending to mate. End Configuration Replication to mate
Lc ny trng thi Failover trn Primary l Active cho c hai Group ciscoasa(config)# sh failover group 1
Last Failover at: 10:40:44 UTC Apr 2 2009
This host: Primary State: Active Active time: 662 (sec)
CT01 Interface inside (192.168.1.1): NormalCT01 Interface outside (192.168.3.1): Normal
Other host: Secondary State: Standby Ready Active time: 280 (sec)
CT01 Interface inside (192.168.1.2): NormalCT01 Interface outside (192.168.3.2): Normal
-
8/13/2019 Thc hin Failover v i Active
4/11
4
Stateful Failover Logical Update StatisticsStatus: Unconfigured.
ciscoasa(config)# sh failover group 2
Last Failover at: 10:40:44 UTC Apr 2 2009
This host: Primary State: Active Active time: 387 (sec)
CT02 Interface inside (192.168.2.1): NormalCT02 Interface outside (192.168.3.3): Normal
Other host: Secondary State: Standby Ready Active time: 563 (sec)
CT02 Interface inside (192.168.2.2): NormalCT02 Interface outside (192.168.3.4): Normal
Stateful Failover Logical Update StatisticsStatus: Unconfigured.
Cu hnh trn Secondary ly quyn Active cho Group 2 ciscoasa(config)# failover group 1ciscoasa(config-fover-group)# secondary
ciscoasa(config)# failover group 2ciscoasa(config-fover-group)# preemptciscoasa(config-fover-group)# primary
ciscoasa(config)# failover active group 2
Trng thi Failover sau khi Secondary ng vai tr Active cho Group 2. Kim tra trng thitrn Primaryciscoasa(config)# sh failover group 1
Last Failover at: 10 55 UTC Apr 2 2009
This host: Primary State: Active Active time: 927 (sec)
CT01 Interface inside (192.168.1.1): NormalCT01 Interface outside (192.168.3.1): Normal
Other host: Secondary State: Standby Ready Active time: 387 (sec)
CT01 Interface inside (192.168.1.2): NormalCT01 Interface outside (192.168.3.2): Normal
-
8/13/2019 Thc hin Failover v i Active
5/11
5
Stateful Failover Logical Update StatisticsStatus: Unconfigured.
ciscoasa(config)# sh failover group 2
Last Failover at: 10 19 UTC Apr 2 2009
This host: Primary State: Standby Ready Active time: 668 (sec)
CT02 Interface inside (192.168.2.2): NormalCT02 Interface outside (192.168.3.4): Normal
Other host: Secondary State: Active Active time: 657 (sec)
CT02 Interface inside (192.168.2.1): NormalCT02 Interface outside (192.168.3.3): Normal
Stateful Failover Logical Update StatisticsStatus: Unconfigured.
III. Cu hnh y
Primary System ciscoasa(config)# sh run
: Saved:ASA Version 8.0(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedno mac-address auto!interface Ethernet0/0!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3description LAN Failover Interface!interface Management0/0shutdown!class defaultlimit-resource All 0
-
8/13/2019 Thc hin Failover v i Active
6/11
6
limit-resource ASDM 5limit-resource SSH 5limit-resource Telnet 5!
ftp mode passive
pager lines 24failover failover lan unit primary failover lan interface FAILOVER Ethernet0/3 failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2 failover group 1 preempt failover group 2 secondary no asdm history enablearp timeout 14400console timeout 0
admin-context admincontext adminconfig-url disk0:/admin.cfg!
context CT01 allocate-interface Ethernet0/0 e0allocate-interface Ethernet0/2 e1config-url disk0:/CT01.cfg
join-failover-group 1 !
context CT02 allocate-interface Ethernet0/1 e0allocate-interface Ethernet0/2 e1config-url disk0:/CT02.cfg
join-failover-group 2 !
prompt hostname contextCryptochecksum:a2b3f049b300f03f98ed089e980133bb: endciscoasa(config)#
Secondary System ASA Version 8.0(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedno mac-address auto!interface Ethernet0/0!interface Ethernet0/1
-
8/13/2019 Thc hin Failover v i Active
7/11
7
!interface Ethernet0/2!interface Ethernet0/3description LAN Failover Interface!
interface Management0/0shutdown!class defaultlimit-resource All 0limit-resource ASDM 5limit-resource SSH 5limit-resource Telnet 5!
ftp mode passivepager lines 24failover failover lan unit secondary failover lan interface FAILOVER Ethernet0/3 failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2 failover group 1 secondary failover group 2 preempt no asdm history enablearp timeout 14400console timeout 0
admin-context admin
context adminconfig-url disk0:/admin.cfg!
context CT01 allocate-interface Ethernet0/0 e0allocate-interface Ethernet0/2 e1config-url disk0:/CT01.cfg
join-failover-group 1 !
context CT02 allocate-interface Ethernet0/1 e0allocate-interface Ethernet0/2 e1config-url disk0:/CT02.cfg
join-failover-group 2 !
prompt hostname contextCryptochecksum:3a1aa0e8f63d97b73eb4993d0b9dbd84: endciscoasa(config)#
-
8/13/2019 Thc hin Failover v i Active
8/11
8
CT01
ASA Version 8.0(2) !hostname CT01
enable password 8Ry2YjIyt7RRXU24 encryptednames!interface e0nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2!interface e1nameif outsidesecurity-level 0ip address 192.168.3.1 255.255.255.0 standby 192.168.3.2!passwd 2KFQnbNIdI.2KYOU encryptedaccess-list ICMP extended permit icmp any anyglobal (outside) 1 interfacenat (inside) 1 192.168.1.0 255.255.255.0access-group ICMP in interface outsideroute outside 0.0.0.0 0.0.0.0 192.168.3.10 1!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_map
parametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp!service-policy global_policy globalCryptochecksum:18c50ede4f3097576448a65490635092: end
-
8/13/2019 Thc hin Failover v i Active
9/11
9
CT02
ASA Version 8.0(2) !hostname CT02
enable password 8Ry2YjIyt7RRXU24 encryptednames!interface e0nameif insidesecurity-level 100ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2!interface e1nameif outsidesecurity-level 0ip address 192.168.3.3 255.255.255.0 standby 192.168.3.4!passwd 2KFQnbNIdI.2KYOU encryptedaccess-list ICMP extended permit icmp any anypager lines 24global (outside) 1 interfacenat (inside) 1 192.168.2.0 255.255.255.0access-group ICMP in interface outsideroute outside 0.0.0.0 0.0.0.0 192.168.3.10 1!class-map inspection_defaultmatch default-inspection-traffic!!
policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp!service-policy global_policy globalCryptochecksum:2f29dfd9dd1d4977600dc068834c56fb
-
8/13/2019 Thc hin Failover v i Active
10/11
10
: end
GATEWAY GATEWAY_1#sh runBuilding configuration...
Current configuration : 846 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname GATEWAY!interface FastEthernet0/0ip address 192.168.3.10 255.255.255.0ip nat insideduplex autospeed auto!interface FastEthernet0/1ip address dhcpip nat outsideduplex autospeed auto!ip nat inside source list 1 interface FastEthernet0/1 overloadip classlessip route 192.168.1.0 255.255.255.0 192.168.3.1ip route 192.168.2.0 255.255.255.0 192.168.3.3
ip http serverno ip http secure-server!access-list 1 permit 192.168.3.0 0.0.0.255!
IV. Kim tra
Trn PC1
Lung d liu i ra Internet s c x l bi CT01 trn Primary ciscoasa/CT01(config)# sh conn
-
8/13/2019 Thc hin Failover v i Active
11/11
11
7 in use, 16 most usedICMP out 69.89.22.108:0 in 192.168.1.10:1024 idle 0:00:00 bytes 64
ciscoasa/CT01(config)# sh xlate1 in use, 19 most usedPAT Global 192.168.3.1(1026) Local 192.168.1.10(2513)
Trn PC2
Lung d liu i ra Internet s c x l bi CT02 trn Secon daryciscoasa/CT02(config)# sh conn5 in use, 9 most usedICMP out 69.89.22.108:0 in 192.168.2.10:1024 idle 0:00:01 bytes 32
ciscoasa/CT02(config)# sh xlate3 in use, 4 most usedPAT Global 192.168.3.3(2) Local 192.168.2.10 ICMP id 1024PAT Global 192.168.3.3(1024) Local 192.168.2.10(2551)PAT Global 192.168.3.3(1025) Local 192.168.2.10(60190)