取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

【原创】ASA9.1 单模 cluster测试

不能显示该小部件。
本帖最后由 碧云天 于 2020-2-13 10:23 编辑
一.测试拓扑
102045ebyn03yydn3inf3b.png
备注:
1.EVE-ng中支持cluster的ASA可以到这个链接去下载: http://bbs.vlan5.com/thread-39623-1-1.html
2.支持Port-channel的vIOS交换机可以到这个链接去下载viosl2-adventerpriseK9-M_152_May_2018.qcow2 :http://repo.eve-ng.cn:81/tool/
3.交换机Port-channel捆绑的接口可以把cluster的ASA理解成一个ASA,它配置的Port-channel对应的交换机接口需要配置成Port-channel。
二.基本配置
1.Switch
①创建vlan并将接口划入vlan

vlan 10
name inside
vlan 11
name outside
vlan 12
name dmz
vlan 13
name mgmt
interface GigabitEthernet2/0
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/1
switchport access vlan 11
switchport mode access
interface GigabitEthernet2/2
switchport access vlan 12
switchport mode access
interface range g0/3,g1/3,g2/3
switchport access vlan 13
switchport mode access
②创建Port-channel并将对应接口划入Port-channel同时指定vlan
interface Port-channel1
description Inside
switchport access vlan 10
switchport mode access
interface Port-channel2
description Outside
switchport access vlan 11
switchport mode access
interface Port-channel3
description DMZ
switchport access vlan 12
switchport mode access
interface range g0/0,g1/0
switchport access vlan 10
switchport mode access
channel-group 1 mode active
interface range g0/1,g1/1
switchport access vlan 11
switchport mode access
channel-group 2 mode active
interface range g0/2,g1/2
switchport access vlan 12
switchport mode access
channel-group 3 mode active
2.R10路由器
hostname R10
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.10
3.R11路由器
hostname R11
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
line vty 0 4
password cisco
login
transport input all
4.R12路由器
hostname R12
interface FastEthernet0/0
ip address172.16.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.10
二.配置防火墙的cluster
1.配置备墙的Cluster
hostname ASA1
cluster interface-mode spanned
cluster group ccie
local-unit ASA1
cluster-interface Ethernet4 ip 100.1.1.1 255.255.255.0
priority 1
interface Ethernet4
no shutdown
2.配置备墙的Cluster
hostname ASA2
cluster interface-mode spanned
cluster group ccie
local-unit ASA2
cluster-interface Ethernet4 ip 100.1.1.2 255.255.255.0
priority 2
interface Ethernet4
no shutdown
3.验证端口
ASA1# ping 100.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1#
4.主墙启用cluster
cluster group ccie
enable
ASA1(config-if)# cluster group ccie
ASA1(cfg-cluster)# enable
INFO: Clustering is not compatible with following commands:
policy-map global_policy
class inspection_default
inspect h323 h225
policy-map global_policy
class inspection_default
inspect h323 ras
policy-map global_policy
class inspection_default
inspect rtsp
policy-map global_policy
class inspection_default
inspect skinny
policy-map global_policy
class inspection_default
inspect sip
Would you like to remove these commands? es/o:Y
INFO: Removing incompatible commands from running configuration...
Cryptochecksum (changed): 4db7408e 08055134 c8166dd0 0df996e9
INFO: Done
ASA1(cfg-cluster)#
ASA1# show r
WARNING: dynamic routing is not supported on management interface when cluster interface-mode is 'spanned'. If dynamic routing is configured on any management interface, please remove it.
Cluster unit ASA1 transitioned from DISABLED to MASTER
5.备墙启用cluster
--主墙成为master之后,再启动备墙的cluster)
cluster group ccie
enable as-slave
6.确定主备墙已经同步
---从提示信息很容易看出主备墙已经同步,备墙的名字也已经修改
Cryptochecksum (changed): 3e9aac34 ec41ad88 2706eab0 87928c1d
End configuration replication from Master.
Cluster unit ASA2 transitioned from DISABLED to SLAVE
ASA1(cfg-cluster)#
7.配置主墙接口
①配置Port-channel

interface Port-channel1
port-channel span-cluster
mac-address 0010.0010.0010
interface Ethernet0
channel-group 1 mode active
no shutdown
interface Port-channel2
port-channel span-cluster
mac-address 0011.0011.0011
interface Ethernet1
channel-group 2 mode active
no shutdown
interface Port-channel3
port-channel span-cluster
mac-address 0013.0013.0013
interface Ethernet2
channel-group 3 mode active
no shutdown
②只能在Port-channel口配置相关信息
interface Port-channel1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
interface Port-channel2
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
interface Port-channel3
nameif dmz
security-level 50
ip address 172.16.1.10 255.255.255.0
ip local pool mgmt-pool 10.1.1.2-10.1.1.3
interface Ethernet3
management-only
nameif mgmt
security-level 100
ip address 10.1.1.1 255.0.0.0 cluster-pool mgmt-pool
no shutdown
三.验证cluster
1.主墙cluter状态

ASA1# show cluster info
Cluster ccie: On
Interface mode: spanned
This is "ASA1" in state MASTER
ID : 0
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 100.1.1.1
CCL MAC : 5000.0008.0004
Last join : 07:34:08 UTC Jan 19 2020
Last leave: N/A
Other members in the cluster:
Unit "ASA2" in state SLAVE
ID : 1
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 100.1.1.2
CCL MAC : 5000.0009.0004
Last join : 07:34:15 UTC Jan 19 2020
Last leave: N/A
2.备墙cluter状态
ASA1# show cluster info
Cluster ccie: On
Interface mode: spanned
This is "ASA2" in state SLAVE
ID : 1
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 100.1.1.2
CCL MAC : 5000.0009.0004
Last join : 07:35:12 UTC Jan 19 2020
Last leave: N/A
Other members in the cluster:
Unit "ASA1" in state MASTER
ID : 0
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 100.1.1.1
CCL MAC : 5000.0008.0004
Last join : 07:34:08 UTC Jan 19 2020
Last leave: N/A
ASA1#
3.查看交换机etherchannel情况
Switch#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator
M - not in use, minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by Auto LAG
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Gi0/0(P) Gi1/0(P)
2 Po2(SU) LACP Gi0/1(P) Gi1/1(P)
3 Po3(SU) LACP Gi0/2(P) Gi1/2(P)
Switch#
3.查看主墙port-channel情况
ASA1# show port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 3
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
1 Po1(U) LACP Yes Et0(P)
2 Po2(U) LACP Yes Et1(P)
3 Po3(U) LACP Yes Et2(P)
ASA1#
4.查看备墙port-channel情况
ASA1# show port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 3
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
1 Po1(U) LACP Yes Et0(P)
2 Po2(U) LACP Yes Et1(P)
3 Po3(U) LACP Yes Et2(P)
ASA1#
5.R10 telnet R1
R10#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
User Access Verification
Password:
R11>show user
R11>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:55
* 2 vty 0 idle 00:00:00 192.168.1.1
Interface User Mode Idle Peer Address
R11>
6.主墙上有会话信息
ASA1# show conn
10 in use, 10 most used
Cluster stub connections: 0 in use, 0 most used
TCP outside 202.100.1.1:23 inside 192.168.1.1:36047, idle 0:00:54, bytes 444, flags UIO
ASA1# show cluster conn
Usage Summary In Cluster:*********************************************
19 in use, stub connection 1 in use (cluster-wide aggregated)
ASA1(LOCAL):**********************************************************
10 in use, 10 most used, stub connection 0 in used, 0 most used
ASA2:*****************************************************************
9 in use, 9 most used, stub connection 1 in used, 1 most used
ASA1#
7.备墙上有也会话信息
ASA1# show conn
9 in use, 9 most used
Cluster stub connections: 1 in use, 1 most used
TCP outside 202.100.1.1:23 inside 192.168.1.1:36047, idle 0:01:05, bytes 0, flags Y
ASA1# show cluster conn
Usage Summary In Cluster:*********************************************
19 in use, stub connection 1 in use (cluster-wide aggregated)
ASA2(LOCAL):**********************************************************
9 in use, 9 most used, stub connection 1 in used, 1 most used
ASA1:*****************************************************************
10 in use, 10 most used, stub connection 0 in used, 0 most used
ASA1#
评论
tht1013
Beginner

ASA的 cluster其实还是蛮稳定的,且不浪费带宽,可惜ASA系列 EOS后,firepower系列低端的都不支持集群了。

Content for Community-Ad