Thc hin Failover vi Active/Active LabPro

Thc hin Failover vi Active/Active

I. M t: Thc hin Failover Active/Active, tnh nng ny cho php cung cp tnh d phng v cn bng ci trn c hai thit b ng thi. Kt hp vi tnh nng context cho php mt thit b ng vai tr Active ca context ny nhng Standby cho context khc. m bo lung d liu thuc mi context s c x l bi nhng thit b ring bit. Thc hin bi Lab theo yu cu: To hai context CT01 v CT02. CT01 CT02 Cng inside:192.168.2.0/24 Cng outside:192.168.3.0/24 Cng Inside:192.168.1.0/24 Cng outside:192.168.3.0/24

To hai Failover Group 1 v 2 CT01 thuc Group 1 CT02 thuc Group 2

Thit b Primary ng vai tr active cho Group 1 Thit b Secondary ng vai tr active cho Group 2

II. Cu hnh 1. Cu hnh trn Primary ciscoasa(config)# mode multiple ciscoasa(config)# failover lan interface FAILOVER e0/3 ciscoasa(config)# failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2 ciscoasa(config)# failover lan unit primary nh ngha failover group ciscoasa(config)# failover group 1 Cho php ly li quyn active ciscoasa(config-fover-group)# preempt ciscoasa(config-fover-group)# primary ciscoasa(config)# failover group 2 ciscoasa(config-fover-group)# secondary nh ngha context ciscoasa(config)# context CT01 ciscoasa(config-ctx)# config-url flash:/CT01.cfg ciscoasa(config-ctx)# allocate-interface e0/0 e0 ciscoasa(config-ctx)# allocate-interface e0/2 e1 Gn context vo nhm ciscoasa(config-ctx)# join-failover-group 1 ciscoasa(config)# context CT02 ciscoasa(config-ctx)# config-url flash:/CT02.cfg ciscoasa(config-ctx)# allocate-interface e0/1 e0 ciscoasa(config-ctx)# allocate-interface e0/2 e1 ciscoasa(config-ctx)# join-failover-group 1 Cu hnh CT01 ciscoasa(config)# changeto context CT01 ciscoasa/CT01(config)# interface e0 ciscoasa/CT01(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 ciscoasa/CT01(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa/CT01(config-if)# ip address 192.168.3.1 255.255.255.0 standby 192.168.3.2 ciscoasa/CT01(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa/CT01(config)# nat (inside) 1 192.168.1.0 255.255.255.0 ciscoasa/CT01(config)# global (outside) 1 interface ciscoasa/CT01(config)# access-list ICMP permit icmp any any ciscoasa/CT01(config)# access-group ICMP in interface outside ciscoasa/CT01(config)# route outside 0 0 192.168.3.10 Cu hnh CT02 ciscoasa(config)# changeto context CT02 ciscoasa/CT02(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2 ciscoasa/CT02(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa/CT02(config-if)# ip address 192.168.3.3 255.255.255.0 standby 192.168.3.4 ciscoasa/CT02(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa/CT02(config)# nat (inside) 1 192.168.2.0 255.255.255.0 ciscoasa/CT02(config)# global (outside) 1 interface

ciscoasa/CT02(config)# access-list ICMP permit icmp any any ciscoasa/CT02(config)# access-group ICMP in interface outside ciscoasa/CT02(config)# route outside 0 0 192.168.3.10 ciscoasa(config)# mac-address auto 2. Cu hnh trn Secondary ciscoasa(config)# mode multiple ciscoasa(config)# failover lan interface FAILOVER e0/3 ciscoasa(config)# failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2 ciscoasa(config)# failover lan unit secondary Thc hin cu lnh failover trn Primary, m bo Primary ang ng vai tr Active cho c hai Group ciscoasa(config)# failover ciscoasa(config)# sh failover state State Last Failure Reason Date/Time This host - Primary Group 1 Active Ifc Failure 10:25:07 UTC Apr 2 2009 Group 2 Active None Other host - Secondary Group 1 Not Detected Comm Failure 10:27:37 UTC Apr 2 2009 Group 2 Not Detected Comm Failure 10:27:37 UTC Apr 2 2009 Tip tc thc hin cu lnh failover trn Secondary. ciscoasa(config)# failover Primary thc hin ng b cu hnh vi Secondary Beginning configuration replication: Sending to mate. End Configuration Replication to mate Lc ny trng thi Failover trn Primary l Active cho c hai Group ciscoasa(config)# sh failover group 1 Last Failover at: 10:40:44 UTC Apr 2 2009 This host: Primary State: Active Active time: 662 (sec) CT01 Interface inside (192.168.1.1): Normal CT01 Interface outside (192.168.3.1): Normal Other host: Secondary State: Standby Ready Active time: 280 (sec) CT01 Interface inside (192.168.1.2): Normal CT01 Interface outside (192.168.3.2): Normal

Stateful Failover Logical Update Statistics Status: Unconfigured. ciscoasa(config)# sh failover group 2 Last Failover at: 10:40:44 UTC Apr 2 2009 This host: Primary State: Active Active time: 387 (sec) CT02 Interface inside (192.168.2.1): Normal CT02 Interface outside (192.168.3.3): Normal Other host: Secondary State: Standby Ready Active time: 563 (sec) CT02 Interface inside (192.168.2.2): Normal CT02 Interface outside (192.168.3.4): Normal Stateful Failover Logical Update Statistics Status: Unconfigured. Cu hnh trn Secondary ly quyn Active cho Group 2 ciscoasa(config)# failover group 1 ciscoasa(config-fover-group)# secondary ciscoasa(config)# failover group 2 ciscoasa(config-fover-group)# preempt ciscoasa(config-fover-group)# primary ciscoasa(config)# failover active group 2 Trng thi Failover sau khi Secondary ng vai tr Active cho Group 2. Kim tra trng thi trn Primary ciscoasa(config)# sh failover group 1 Last Failover at: 10 This host: Primary State: Active Active time: 927 (sec) CT01 Interface inside (192.168.1.1): Normal CT01 Interface outside (192.168.3.1): Normal Other host: Secondary State: Standby Ready Active time: 387 (sec) CT01 Interface inside (192.168.1.2): Normal CT01 Interface outside (192.168.3.2): Normal 55 UTC Apr 2 2009

Stateful Failover Logical Update Statistics Status: Unconfigured. ciscoasa(config)# sh failover group 2

Last Failover at: 10 This host: Primary State: Standby Ready Active time: 668 (sec)

19 UTC Apr 2 2009

CT02 Interface inside (192.168.2.2): Normal CT02 Interface outside (192.168.3.4): Normal Other host: Secondary State: Active Active time: 657 (sec) CT02 Interface inside (192.168.2.1): Normal CT02 Interface outside (192.168.3.3): Normal Stateful Failover Logical Update Statistics Status: Unconfigured. III. Cu hnh y Primary System ciscoasa(config)# sh run : Saved : ASA Version 8.0(2) <system> ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted no mac-address auto ! interface Ethernet0/0 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 description LAN Failover Interface ! interface Management0/0 shutdown ! class default limit-resource All 0

limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! ftp mode passive pager lines 24 failover failover lan unit primary failover lan interface FAILOVER Ethernet0/3 failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2 failover group 1 preempt failover group 2 secondary no asdm history enable arp timeout 14400 console timeout 0 admin-context admin context admin config-url disk0:/admin.cfg ! context CT01 allocate-interface Ethernet0/0 e0 allocate-interface Ethernet0/2 e1 config-url disk0:/CT01.cfg join-failover-group 1 ! context CT02 allocate-interface Ethernet0/1 e0 allocate-interface Ethernet0/2 e1 config-url disk0:/CT02.cfg join-failover-group 2 ! prompt hostname context Cryptochecksum:a2b3f049b300f03f98ed089e980133bb : end ciscoasa(config)# Secondary System ASA Version 8.0(2) <system> ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted no mac-address auto ! interface Ethernet0/0 ! interface Ethernet0/1

! interface Ethernet0/2 ! interface Ethernet0/3 description LAN Failover Interface ! interface Management0/0 shutdown ! class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! ftp mode passive pager lines 24 failover failover lan unit secondary failover lan interface FAILOVER Ethernet0/3 failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2 failover group 1 secondary failover group 2 preempt no asdm history enable arp timeout 14400 console timeout 0 admin-context admin context admin config-url disk0:/admin.cfg ! context CT01 allocate-interface Ethernet0/0 e0 allocate-interface Ethernet0/2 e1 config-url disk0:/CT01.cfg join-failover-group 1 ! context CT02 allocate-interface Ethernet0/1 e0 allocate-interface Ethernet0/2 e1 config-url disk0:/CT02.cfg join-failover-group 2 ! prompt hostname context Cryptochecksum:3a1aa0e8f63d97b73eb4993d0b9dbd84 : end ciscoasa(config)#

CT01 ASA Version 8.0(2) <context> ! hostname CT01 enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface e0 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 ! interface e1 nameif outside security-level 0 ip address 192.168.3.1 255.255.255.0 standby 192.168.3.2 ! passwd 2KFQnbNIdI.2KYOU encrypted access-list ICMP extended permit icmp any any global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 access-group ICMP in interface outside route outside 0.0.0.0 0.0.0.0 192.168.3.10 1 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:18c50ede4f3097576448a65490635092 : end

CT02 ASA Version 8.0(2) <context> ! hostname CT02 enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface e0 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2 ! interface e1 nameif outside security-level 0 ip address 192.168.3.3 255.255.255.0 standby 192.168.3.4 ! passwd 2KFQnbNIdI.2KYOU encrypted access-list ICMP extended permit icmp any any pager lines 24 global (outside) 1 interface nat (inside) 1 192.168.2.0 255.255.255.0 access-group ICMP in interface outside route outside 0.0.0.0 0.0.0.0 192.168.3.10 1 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:2f29dfd9dd1d4977600dc068834c56fb

: end GATEWAY GATEWAY_1#sh run Building configuration... Current configuration : 846 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname GATEWAY ! interface FastEthernet0/0 ip address 192.168.3.10 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/1 ip address dhcp ip nat outside duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/1 overload ip classless ip route 192.168.1.0 255.255.255.0 192.168.3.1 ip route 192.168.2.0 255.255.255.0 192.168.3.3 ip http server no ip http secure-server ! access-list 1 permit 192.168.3.0 0.0.0.255 ! IV. Kim tra Trn PC1

Lung d liu i ra Internet s c x l bi CT01 trn Primary ciscoasa/CT01(config)# sh conn

10

7 in use, 16 most used ICMP out 69.89.22.108:0 in 192.168.1.10:1024 idle 0:00:00 bytes 64 ciscoasa/CT01(config)# sh xlate 1 in use, 19 most used PAT Global 192.168.3.1(1026) Local 192.168.1.10(2513) Trn PC2

Lung d liu i ra Internet s c x l bi CT02 trn Secon dary ciscoasa/CT02(config)# sh conn 5 in use, 9 most used ICMP out 69.89.22.108:0 in 192.168.2.10:1024 idle 0:00:01 bytes 32 ciscoasa/CT02(config)# sh xlate 3 in use, 4 most used PAT Global 192.168.3.3(2) Local 192.168.2.10 ICMP id 1024 PAT Global 192.168.3.3(1024) Local 192.168.2.10(2551) PAT Global 192.168.3.3(1025) Local 192.168.2.10(60190)

11