¶ 第一部分 A/S-FO V4 LAB考点
实验一拓扑:
¶ EVE环境
环境描述:
- 设备简介
本拓扑中包含两台路由器(Hostname 分别是 Outside,Inside),两台防火墙(Hostname分别是ASA1,ASA2),一台交换机(Hostname:SW)。 - 连接方式
两台ASA防火墙的G0 – 3接口分别接入交换机的E1/0 – 3接口和E2/0 – 3接口,两台路由器的E0/0接口分别接入交换机的E0/0和E0/1接口。 - 地址范围
| Device | IP/Mask |
| Outside路由器E0/0 | 202.100.1.1/24 |
| Inside路由器E0/0 | 10.1.1.1/24 |
| SW交换机 | |
| E1/0 | VLAN2 |
| E1/1 | VLAN3 |
| E1/2 | VLAN4 |
| E1/3 | VLAN5 |
| E2/0 | VLAN2 |
| E2/1 | VLAN3 |
| E2/2 | VLAN4 |
| E2/3 | VLAN5 |
| E0/0 | VLAN2 |
| E0/1 | VLAN3 |
| ASA1 | |
| G0 | 202.100.1.10/24 |
| G1 | 10.1.1.10/24 |
| G2 | 192.168.10.10/24 |
| G3 | 192.168.20.10/24 |
| ASA2 | |
| G0 | 202.100.1.20/24 |
| G1 | 10.1.1.20/24 |
| G3 | 192.168.10.20/24 |
| G4 | 192.168.20.20/24 |
¶ 实验一需求:
¶ 1. 预配
SW:
vlan 2,3,4,5
!
interface Ethernet0/0
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface Ethernet0/1
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface Ethernet1/0
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface Ethernet1/1
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface Ethernet1/2
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface Ethernet1/3
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface Ethernet2/0
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface Ethernet2/1
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface Ethernet2/2
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface Ethernet2/3
switchport access vlan 5
switchport mode access
spanning-tree portfast
¶ 2. 按照如下的输出配置A/S的FO:
ASA(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FO GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 9.1(5)21, Mate 9.1(5)21
Last Failover at: 13:02:22 UTC Dec 19 2016
This host: Primary - Active
Active time: 35 (sec)
Interface Outside (202.100.1.10): Normal (Monitored)
Interface Inside (10.1.1.10): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface Outside (202.100.1.20): Normal (Monitored)
Interface Inside (10.1.1.20): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
设备配置:
ASA1
failover lan unit primary
failover lan interface FO Ethernet2
failover key cisco
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0 standby 10.1.1.20
no shutdown
!
interface Ethernet0
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0 standby 202.100.1.20
no shutdown
ASA1(config)# prompt priority state
pri/act(config)#
ASA2
failover lan unit secondary
failover lan interface FO Ethernet2
failover key cisco
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover
测试现象:
¶ 3. 当对应交换机的E1/1口DOWN时,测试故障切换
ASA(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FO GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 9.1(5)21, Mate 9.1(5)21
Last Failover at: 13:02:22 UTC Dec 19 2016
This host: Primary - Standby Ready
Active time: 35 (sec)
Interface Outside (202.100.1.20): Normal (Monitored)
Interface Inside (10.1.1.20): Normal (Monitored)
Other host: Secondary - Active
Active time: 0 (sec)
Interface Outside (202.100.1.10): Normal (Monitored)
Interface Inside (10.1.1.10): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
设备配置:
int e1/1
shutdown
测试现象:
¶ 4. 指派ASA1的G3接口为Stateful链路,并测试故障切换。
设备配置:
active设备
failover link stateful Ethernet3
failover interface ip stateful 192.168.2.10 255.255.255.0 standby 192.168.2.20
测试现象:
¶ 5. 更改单元轮询时间为200毫秒和hold时间为800毫秒,更改接口轮询时间为3秒和hold时间为15秒。
设备配置:
failover polltime unit msec 200 holdtime msec 800
failover polltime interface 3 holdtime 15
测试现象:
¶ 第二部分 A/A-FO V4 LAB 考点
实验二拓扑:
环境描述:
- 设备简介
本拓扑中包含三台路由器(Hostname 分别是 SP1,SP2,Inside),两台防火墙(Hostname分别是ASA1,ASA2),一台交换机(Hostname:SW)。 - 连接方式
两台ASA防火墙的G0 – 3接口分别接入交换机的E1/0 – 3接口和E2/0 – 3接口,三台路由器的E0/0接口分别接入交换机的E0/0 - 2接口。 - 地址范围
| Device | IP/Mask |
| SP1路由器E0/0 | 202.100.1.1/24 & 222.1.1.1/24 |
| SP2路由器E0/0 | 61.128.1.1/24 & 222.1.1.2/24 |
| Inside路由器E0/0 | 202.100.2.1/24 & 61.128.2.1/24 |
| SW****交换机 | |
| E0/0 | VLAN6,7 |
| E0/1 | VLAN2,3 |
| E0/2 | VLAN2,4 |
| E1/0 | VLAN3 |
| E1/1 | VLAN4 |
| E1/2 | VLAN5 |
| E1/3 | VLAN6,7 |
| E2/0 | VLAN3 |
| E2/1 | VLAN4 |
| E2/2 | VLAN5 |
| E2/3 | VLAN6,7 |
实验二需求:
¶ 配置A/A-FO,并测试故障切换和异步路由
ASA1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FO/Sta GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 9.1(5)21, Mate 9.1(5)21
Group 1 last failover at: 03:50:54 UTC Dec 20 2016
Group 2 last failover at: 03:51:01 UTC Dec 20 2016
This host: Primary
Group 1 State: Active
Active time: 45 (sec)
Group 2 State: Standby Ready
Active time: 6 (sec)
c1 Interface Outside (202.100.1.10): Normal (Monitored)
c1 Interface Inside (202.100.2.10): Normal (Not-Monitored)
c2 Interface Outside (61.128.1.20): Normal (Monitored)
c2 Interface Inside (61.128.2.20): Normal (Not-Monitored)
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 38 (sec)
c1 Interface Outside (202.100.1.20): Normal (Monitored)
c1 Interface Inside (202.100.2.20): Normal (Not-Monitored)
c2 Interface Outside (61.128.1.10): Normal (Monitored)
c2 Interface Inside (61.128.2.10): Normal (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : FO/Sta GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 9 0 6 0
sys cmd 6 0 6 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate\_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 3 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 33
Xmit Q: 0 4 107
设备配置:
ASA1
FO配置
failover lan unit primary
failover lan interface FO Ethernet2
failover key cisco
failover link FO Ethernet2
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover group 1
preempt
failover group 2
secondary
preempt
failover
context配置
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context c1
allocate-interface Ethernet0
allocate-interface Ethernet3.6
config-url disk0:/c1.cfg
join-failover-group 1
!
context c2
allocate-interface Ethernet1
allocate-interface Ethernet3.7
config-url disk0:/c2.cfg
join-failover-group 2
接口初始化配置:
interface Ethernet0
!
interface Ethernet1
!
interface Ethernet2
description LAN/STATE Failover Interface
!
interface Ethernet3
!
interface Ethernet3.6
vlan 6
!
interface Ethernet3.7
vlan 7
子墙配置
C1配置
interface Ethernet0
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0 standby 202.100.1.20
!
interface Ethernet3.6
nameif inside
security-level 100
ip address 202.100.2.10 255.255.255.0 standby 202.100.2.20
C2配置
interface Ethernet1
nameif outside
security-level 0
ip address 61.128.1.10 255.255.255.0 standby 61.128.1.20
!
interface Ethernet3.7
nameif inside
security-level 100
ip address 61.128.2.10 255.255.255.0 standby 61.128.2.20
ASA2
FO配置
failover lan unit secondary
failover lan interface FO Ethernet2
failover key \*\*\*\*\*
failover link FO Ethernet2
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover group 1
preempt
failover group 2
secondary
preempt
failover
测试现象:
