-
8/13/2019 Thc hin Failover v i Active
1/11
1
Thc hin Failover vi Active/Active LabPro
Thc hin Failover vi Active/Active
I. M t: Thc hin Failover Active/Active, tnh nng ny cho php cung
cp tnh d phng v cnbng ci trn c hai thit b ng thi. Kt hp vi tnh nng
context cho php mt thit b ng vai tr Active ca context nynhng
Standby cho context khc. m bo lung d liu thuc mi context s c x lbi
nhng thit b ring bit.
Thc hin bi Lab theo yu cu: To hai context CT01 v CT02. CT01
Cng Inside:192.168.1.0/24 Cng outside:192.168.3.0/24
CT02
Cng inside:192.168.2.0/24 Cng outside:192.168.3.0/24
To hai Failover Group 1 v 2
CT01 thuc Group 1 CT02 thuc Group 2
Thit b Primary ng vai tr active cho Group 1 Thit b Secondary ng
vai tr active cho Group 2
-
8/13/2019 Thc hin Failover v i Active
2/11
2
II. Cu hnh 1. Cu hnh trn Primary ciscoasa(config)# mode
multipleciscoasa(config)# failover lan interface FAILOVER
e0/3ciscoasa(config)# failover interface ip FAILOVER 172.16.1.1
255.255.255.0 standby172.16.1.2
ciscoasa(config)# failover lan unit primarynh ngha failover
group ciscoasa(config)# failover group 1Cho php ly li quyn active
ciscoasa(config-fover-group)# preemptciscoasa(config-fover-group)#
primaryciscoasa(config)# failover group
2ciscoasa(config-fover-group)# secondarynh ngha context
ciscoasa(config)# context CT01ciscoasa(config-ctx)# config-url
flash:/CT01.cfgciscoasa(config-ctx)# allocate-interface e0/0
e0ciscoasa(config-ctx)# allocate-interface e0/2 e1Gn context vo nhm
ciscoasa(config-ctx)# join-failover-group 1
ciscoasa(config)# context CT02ciscoasa(config-ctx)# config-url
flash:/CT02.cfgciscoasa(config-ctx)# allocate-interface e0/1
e0ciscoasa(config-ctx)# allocate-interface e0/2
e1ciscoasa(config-ctx)# join-failover-group 1
Cu h nh CT01 ciscoasa(config)# changeto context
CT01ciscoasa/CT01(config)# interface e0
ciscoasa/CT01(config-if)# ip address 192.168.1.1 255.255.255.0
standby 192.168.1.2ciscoasa/CT01(config-if)# nameif insideINFO:
Security level for "inside" set to 100 by
default.ciscoasa/CT01(config-if)# ip address 192.168.3.1
255.255.255.0 standby 192.168.3.2ciscoasa/CT01(config-if)# nameif
outsideINFO: Security level for "outside" set to 0 by
default.ciscoasa/CT01(config)# nat (inside) 1 192.168.1.0
255.255.255.0ciscoasa/CT01(config)# global (outside) 1
interfaceciscoasa/CT01(config)# access-list ICMP permit icmp any
anyciscoasa/CT01(config)# access-group ICMP in interface
outsideciscoasa/CT01(config)# route outside 0 0 192.168.3.10
Cu hnh CT02 ciscoasa(config)# changeto context
CT02ciscoasa/CT02(config-if)# ip address 192.168.2.1 255.255.255.0
standby 192.168.2.2ciscoasa/CT02(config-if)# nameif insideINFO:
Security level for "inside" set to 100 by
default.ciscoasa/CT02(config-if)# ip address 192.168.3.3
255.255.255.0 standby 192.168.3.4ciscoasa/CT02(config-if)# nameif
outsideINFO: Security level for "outside" set to 0 by
default.ciscoasa/CT02(config)# nat (inside) 1 192.168.2.0
255.255.255.0ciscoasa/CT02(config)# global (outside) 1
interface
-
8/13/2019 Thc hin Failover v i Active
3/11
3
ciscoasa/CT02(config)# access-list ICMP permit icmp any
anyciscoasa/CT02(config)# access-group ICMP in interface
outsideciscoasa/CT02(config)# route outside 0 0 192.168.3.10
ciscoasa(config)# mac-address auto2. Cu hnh trn Secondary
ciscoasa(config)# mode multipleciscoasa(config)# failover lan
interface FAILOVER e0/3ciscoasa(config)# failover interface ip
FAILOVER 172.16.1.1 255.255.255.0
standby172.16.1.2ciscoasa(config)# failover lan unit secondary
Thc hin cu lnh failover trn Prima ry, m bo Primary ang ng vai tr
Active cho chai Groupciscoasa(config)# failoverciscoasa(config)# sh
failover state
State Last Failure Reason Date/TimeThis host - Primary Group 1
Active Ifc Failure 10:25:07 UTC Apr 2 2009Group 2 Active NoneOther
host - SecondaryGroup 1 Not Detected Comm Failure 10:27:37 UTC Apr
2 2009Group 2 Not Detected Comm Failure 10:27:37 UTC Apr 2 2009
Tip tc thc hin cu lnh failover trn Secondary.ciscoasa(config)#
failover
Primary thc hin ng b cu hnh vi Secondary
Beginning configuration replication: Sending to mate. End
Configuration Replication to mate
Lc ny trng thi Failover trn Primary l Active cho c hai Group
ciscoasa(config)# sh failover group 1
Last Failover at: 10:40:44 UTC Apr 2 2009
This host: Primary State: Active Active time: 662 (sec)
CT01 Interface inside (192.168.1.1): NormalCT01 Interface
outside (192.168.3.1): Normal
Other host: Secondary State: Standby Ready Active time: 280
(sec)
CT01 Interface inside (192.168.1.2): NormalCT01 Interface
outside (192.168.3.2): Normal
-
8/13/2019 Thc hin Failover v i Active
4/11
4
Stateful Failover Logical Update StatisticsStatus:
Unconfigured.
ciscoasa(config)# sh failover group 2
Last Failover at: 10:40:44 UTC Apr 2 2009
This host: Primary State: Active Active time: 387 (sec)
CT02 Interface inside (192.168.2.1): NormalCT02 Interface
outside (192.168.3.3): Normal
Other host: Secondary State: Standby Ready Active time: 563
(sec)
CT02 Interface inside (192.168.2.2): NormalCT02 Interface
outside (192.168.3.4): Normal
Stateful Failover Logical Update StatisticsStatus:
Unconfigured.
Cu hnh trn Secondary ly quyn Active cho Group 2
ciscoasa(config)# failover group 1ciscoasa(config-fover-group)#
secondary
ciscoasa(config)# failover group 2ciscoasa(config-fover-group)#
preemptciscoasa(config-fover-group)# primary
ciscoasa(config)# failover active group 2
Trng thi Failover sau khi Secondary ng vai tr Active cho Group
2. Kim tra trng thitrn Primaryciscoasa(config)# sh failover group
1
Last Failover at: 10 55 UTC Apr 2 2009
This host: Primary State: Active Active time: 927 (sec)
CT01 Interface inside (192.168.1.1): NormalCT01 Interface
outside (192.168.3.1): Normal
Other host: Secondary State: Standby Ready Active time: 387
(sec)
CT01 Interface inside (192.168.1.2): NormalCT01 Interface
outside (192.168.3.2): Normal
-
8/13/2019 Thc hin Failover v i Active
5/11
5
Stateful Failover Logical Update StatisticsStatus:
Unconfigured.
ciscoasa(config)# sh failover group 2
Last Failover at: 10 19 UTC Apr 2 2009
This host: Primary State: Standby Ready Active time: 668
(sec)
CT02 Interface inside (192.168.2.2): NormalCT02 Interface
outside (192.168.3.4): Normal
Other host: Secondary State: Active Active time: 657 (sec)
CT02 Interface inside (192.168.2.1): NormalCT02 Interface
outside (192.168.3.3): Normal
Stateful Failover Logical Update StatisticsStatus:
Unconfigured.
III. Cu hnh y
Primary System ciscoasa(config)# sh run
: Saved:ASA Version 8.0(2) !hostname ciscoasaenable password
8Ry2YjIyt7RRXU24 encryptedno mac-address auto!interface
Ethernet0/0!interface Ethernet0/1!interface Ethernet0/2!interface
Ethernet0/3description LAN Failover Interface!interface
Management0/0shutdown!class defaultlimit-resource All 0
-
8/13/2019 Thc hin Failover v i Active
6/11
6
limit-resource ASDM 5limit-resource SSH 5limit-resource Telnet
5!
ftp mode passive
pager lines 24failover failover lan unit primary failover lan
interface FAILOVER Ethernet0/3 failover interface ip FAILOVER
172.16.1.1 255.255.255.0 standby 172.16.1.2 failover group 1
preempt failover group 2 secondary no asdm history enablearp
timeout 14400console timeout 0
admin-context admincontext adminconfig-url disk0:/admin.cfg!
context CT01 allocate-interface Ethernet0/0 e0allocate-interface
Ethernet0/2 e1config-url disk0:/CT01.cfg
join-failover-group 1 !
context CT02 allocate-interface Ethernet0/1 e0allocate-interface
Ethernet0/2 e1config-url disk0:/CT02.cfg
join-failover-group 2 !
prompt hostname
contextCryptochecksum:a2b3f049b300f03f98ed089e980133bb:
endciscoasa(config)#
Secondary System ASA Version 8.0(2) !hostname ciscoasaenable
password 8Ry2YjIyt7RRXU24 encryptedno mac-address auto!interface
Ethernet0/0!interface Ethernet0/1
-
8/13/2019 Thc hin Failover v i Active
7/11
7
!interface Ethernet0/2!interface Ethernet0/3description LAN
Failover Interface!
interface Management0/0shutdown!class defaultlimit-resource All
0limit-resource ASDM 5limit-resource SSH 5limit-resource Telnet
5!
ftp mode passivepager lines 24failover failover lan unit
secondary failover lan interface FAILOVER Ethernet0/3 failover
interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover group 1 secondary failover group 2 preempt no asdm history
enablearp timeout 14400console timeout 0
admin-context admin
context adminconfig-url disk0:/admin.cfg!
context CT01 allocate-interface Ethernet0/0 e0allocate-interface
Ethernet0/2 e1config-url disk0:/CT01.cfg
join-failover-group 1 !
context CT02 allocate-interface Ethernet0/1 e0allocate-interface
Ethernet0/2 e1config-url disk0:/CT02.cfg
join-failover-group 2 !
prompt hostname
contextCryptochecksum:3a1aa0e8f63d97b73eb4993d0b9dbd84:
endciscoasa(config)#
-
8/13/2019 Thc hin Failover v i Active
8/11
8
CT01
ASA Version 8.0(2) !hostname CT01
enable password 8Ry2YjIyt7RRXU24 encryptednames!interface
e0nameif insidesecurity-level 100ip address 192.168.1.1
255.255.255.0 standby 192.168.1.2!interface e1nameif
outsidesecurity-level 0ip address 192.168.3.1 255.255.255.0 standby
192.168.3.2!passwd 2KFQnbNIdI.2KYOU encryptedaccess-list ICMP
extended permit icmp any anyglobal (outside) 1 interfacenat
(inside) 1 192.168.1.0 255.255.255.0access-group ICMP in interface
outsideroute outside 0.0.0.0 0.0.0.0 192.168.3.10 1!class-map
inspection_defaultmatch default-inspection-traffic!!policy-map type
inspect dns preset_dns_map
parametersmessage-length maximum 512policy-map
global_policyclass inspection_defaultinspect dns
preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect
netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect
sqlnetinspect sunrpcinspect tftpinspect sipinspect
xdmcp!service-policy global_policy
globalCryptochecksum:18c50ede4f3097576448a65490635092: end
-
8/13/2019 Thc hin Failover v i Active
9/11
9
CT02
ASA Version 8.0(2) !hostname CT02
enable password 8Ry2YjIyt7RRXU24 encryptednames!interface
e0nameif insidesecurity-level 100ip address 192.168.2.1
255.255.255.0 standby 192.168.2.2!interface e1nameif
outsidesecurity-level 0ip address 192.168.3.3 255.255.255.0 standby
192.168.3.4!passwd 2KFQnbNIdI.2KYOU encryptedaccess-list ICMP
extended permit icmp any anypager lines 24global (outside) 1
interfacenat (inside) 1 192.168.2.0 255.255.255.0access-group ICMP
in interface outsideroute outside 0.0.0.0 0.0.0.0 192.168.3.10
1!class-map inspection_defaultmatch
default-inspection-traffic!!
policy-map type inspect dns
preset_dns_mapparametersmessage-length maximum 512policy-map
global_policyclass inspection_defaultinspect dns
preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect
netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect
sqlnetinspect sunrpcinspect tftpinspect sipinspect
xdmcp!service-policy global_policy
globalCryptochecksum:2f29dfd9dd1d4977600dc068834c56fb
-
8/13/2019 Thc hin Failover v i Active
10/11
10
: end
GATEWAY GATEWAY_1#sh runBuilding configuration...
Current configuration : 846 bytes!version 12.3service timestamps
debug datetime msecservice timestamps log datetime msecno service
password-encryption!hostname GATEWAY!interface FastEthernet0/0ip
address 192.168.3.10 255.255.255.0ip nat insideduplex autospeed
auto!interface FastEthernet0/1ip address dhcpip nat outsideduplex
autospeed auto!ip nat inside source list 1 interface
FastEthernet0/1 overloadip classlessip route 192.168.1.0
255.255.255.0 192.168.3.1ip route 192.168.2.0 255.255.255.0
192.168.3.3
ip http serverno ip http secure-server!access-list 1 permit
192.168.3.0 0.0.0.255!
IV. Kim tra
Trn PC1
Lung d liu i ra Internet s c x l bi CT01 trn Primary
ciscoasa/CT01(config)# sh conn
-
8/13/2019 Thc hin Failover v i Active
11/11
11
7 in use, 16 most usedICMP out 69.89.22.108:0 in
192.168.1.10:1024 idle 0:00:00 bytes 64
ciscoasa/CT01(config)# sh xlate1 in use, 19 most usedPAT Global
192.168.3.1(1026) Local 192.168.1.10(2513)
Trn PC2
Lung d liu i ra Internet s c x l bi CT02 trn Secon
daryciscoasa/CT02(config)# sh conn5 in use, 9 most usedICMP out
69.89.22.108:0 in 192.168.2.10:1024 idle 0:00:01 bytes 32
ciscoasa/CT02(config)# sh xlate3 in use, 4 most usedPAT Global
192.168.3.3(2) Local 192.168.2.10 ICMP id 1024PAT Global
192.168.3.3(1024) Local 192.168.2.10(2551)PAT Global
192.168.3.3(1025) Local 192.168.2.10(60190)
