防火墙 Failover 一、failover相关概念：1、failover线：又叫心跳线，是一条故障切换线，参与failover 的防火墙通过这条线决定本身的状态。Failover 线有2种：专用的cable线和LAN线2、statful failover线：即状态线，时刻传递状态信息由主到 次，该线的带宽必须大于等于用户接 口的带宽，状态有3种：专用以太口 或共享LAN-base的failover线或共 享用户接口(不建议）3、failover 组网拓扑：有2种：基于专用cable和基于LAN二、试验拓扑： 三、试验配置：FW5(config)# activation-key 0x5236f5a7 0x97def6da 0x732a91f5 0xf5deef57（添加UR许可，有UR许可才支持Failover）1、基于Lan base的A/S模式FW5（活动设备）FW5(config)# failover link bluefox e3(指定Failover状态接口）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（配置状态接口的IP）FW5(config)# interface e3（打开接口）FW5(config-if)# no shFW5(config-if)# exitFW5(config)# failover lan enable （启用lan base）FW5(config)# failover lan unit primary （指定该设备为主设备）FW5(config)# failover lan interface bluefox e3（指定Failover线（可与状态线共用）FW5(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6（共用时可不配）FW5(config)# failover FW5(config)# interface e0FW5(config-if)# nameif outsideFW5(config-if)# ip add 192.168.7.5 255.255.255.0 standby 192.168.7.6FW5(config-if)# no shFW5(config-if)# exitFW5(config)# interface e1FW5(config-if)# nameif insideFW5(config-if)# ip add 192.168.5.5 255.255.255.0 standby 192.168.5.6FW5(config-if)# no shFW5(config-if)# exitFW5(config)# interface e2FW5(config-if)# nameif dmzFW5(config-if)# security-level 50FW5(config-if)# ip add 192.168.8.5 255.255.255.0 standby 192.168.8.6FW5(config-if)# no shFW5(config-if)# exitFW6（备份设备）FW6(config)# interface e3FW6(config-if)# no shFW6(config-if)# exit（打开状态线）FW6(config)# failover lan enable （启用lan base）FW6(config)# failover lan unit secondary （指定该设备为辅助设备）FW6(config)# failover lan interface bluefox e3（指定Failover线）FW6(config)# failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6FW6(config)# failover（启用Failover）测试与分析：FW5FW6FW5由以上各图知FW5为主、FW6为备份设备.在FW6上手动抢占FW6已成为主设备。FW6切换为辅助设备以下为各个设备的详细配置：FW5interface Ethernet0 nameif outside security-level 0 ip address 192.168.7.5 255.255.255.0 standby 192.168.7.6 interface Ethernet1 nameif inside security-level 100 ip address 192.168.5.5 255.255.255.0 standby 192.168.5.6 interface Ethernet2 nameif dmz security-level 50 ip address 192.168.8.5 255.255.255.0 standby 192.168.8.6 interface Ethernet3 description LAN/STATE Failover Interfaceaccess-list 100 extended permit ip any any failoverfailover lan unit primaryfailover lan interface bluefox Ethernet3failover lan enablefailover link bluefox Ethernet3failover interface ip bluefox 192.168.6.5 255.255.255.0 standby 192.168.6.6access-group 100 in interface outsideaccess-group 100 in interface dmzroute outside 0.0.0.0 0.0.0.0 192.168.7.7 1route inside 192.168.10.0 255.255.255.0 192.168.5.100 1route inside 192.168.20.0 255.255.255.0 192.168.5.100 1route dmz 192.168.30.0 255.255.255.0 192.168.8.4 1route dmz 192.168.40.0 255.255.255.0 192.168.8.4 1SW1spanning-tree vlan 1 priority 0spanning-tree vlan 10 priority 0spanning-tree vlan 20 priority 0interface Port-channel1 switchport mode trunkinterface FastEthernet1/1 switchport access vlan 5interface FastEthernet1/2 switchport access vlan 6 interface FastEthernet1/3 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/4 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/5 switchport trunk allowed vlan 1-4,7-1005 switchport mode trunkinterface Vlan5 ip address 192.168.5.1 255.255.255.0 standby 5 ip 192.168.5.100 standby 5 priority 120 standby 5 preempt standby 5 track FastEthernet1/5 50interface Vlan6 ip address 192.168.6.1 255.255.255.0interface Vlan10 ip address 192.168.10.1 255.255.255.0 standby 10 ip 192.168.10.100 standby 10 priority 120 standby 10 preempt standby 10 track FastEthernet1/1 50interface Vlan20 ip address 192.168.20.1 255.255.255.0 standby 20 ip 192.168.20.100 standby 20 priority 120 standby 20 preempt standby 20 track FastEthernet1/1 50ip route 0.0.0.0 0.0.0.0 192.168.5.5SW2spanning-tree vlan 1 priority 4096spanning-tree vlan 10 priority 4096spanning-tree vlan 20 priority 4096interface Port-channel1 switchport mode trunkinterface FastEthernet1/1 switchport access vlan 5interface FastEthernet1/2 switchport access vlan 6interface FastEthernet1/3 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/4 switchport mode trunk channel-group 1 mode oninterface FastEthernet1/5 switchport trunk allowed vlan 1-4,7-1005 switchport mode trunk interface Vlan5 ip address 192.168.5.2 255.255.255.0 standby 5 ip 192.168.5.100 s