请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 380|回复: 1

【原创】ASA9.1 单模 cluster测试

[复制链接]
发表于 2020-2-13 10:17:48 | 显示全部楼层 |阅读模式
本帖最后由 碧云天 于 2020-2-13 10:23 编辑

一.测试拓扑


备注:
1.EVE-ng中支持cluster的ASA可以到这个链接去下载: http://bbs.vlan5.com/thread-39623-1-1.html
2.支持Port-channel的vIOS交换机可以到这个链接去下载viosl2-adventerpriseK9-M_152_May_2018.qcow2 :http://repo.eve-ng.cn:81/tool/
3.交换机Port-channel捆绑的接口可以把cluster的ASA理解成一个ASA,它配置的Port-channel对应的交换机接口需要配置成Port-channel。

二.基本配置
1.Switch
①创建vlan并将接口划入vlan

vlan 10
    name inside
vlan 11
    name outside
vlan 12
    name dmz
vlan 13
    name mgmt
interface GigabitEthernet2/0
    switchport access vlan 10
    switchport mode access
interface GigabitEthernet2/1
    switchport access vlan 11
    switchport mode access
interface GigabitEthernet2/2
    switchport access vlan 12
    switchport mode access
interface range g0/3,g1/3,g2/3
    switchport access vlan 13
    switchport mode access
②创建Port-channel并将对应接口划入Port-channel同时指定vlan
interface Port-channel1
    description Inside
    switchport access vlan 10
    switchport mode access
interface Port-channel2
    description Outside
    switchport access vlan 11
    switchport mode access
interface Port-channel3
    description DMZ
    switchport access vlan 12
    switchport mode access
interface range g0/0,g1/0
    switchport access vlan 10
    switchport mode access
channel-group 1 mode active
interface range g0/1,g1/1
    switchport access vlan 11
    switchport mode access
channel-group 2 mode active     
interface range g0/2,g1/2
    switchport access vlan 12
    switchport mode access
channel-group 3 mode active
2.R10路由器
hostname R10
interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.10
3.R11路由器
hostname R11
interface FastEthernet0/0
    ip address 202.100.1.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
line vty 0 4
    password cisco
    login
    transport input all
4.R12路由器
hostname R12
interface FastEthernet0/0
    ip address172.16.1.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.10
二.配置防火墙的cluster
1.配置备墙的Cluster
hostname ASA1
cluster interface-mode spanned
cluster group ccie
    local-unit ASA1
    cluster-interface Ethernet4 ip 100.1.1.1 255.255.255.0
    priority 1
interface Ethernet4
    no shutdown
2.配置备墙的Cluster
hostname ASA2
cluster interface-mode spanned
cluster group ccie
    local-unit ASA2
    cluster-interface Ethernet4 ip 100.1.1.2 255.255.255.0
    priority 2
interface Ethernet4
    no shutdown
3.验证端口
ASA1# ping 100.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1#

4.主墙启用cluster
cluster group ccie
    enable

ASA1(config-if)# cluster group ccie
ASA1(cfg-cluster)# enable
INFO: Clustering is not compatible with following commands:
policy-map global_policy
class inspection_default
  inspect h323 h225
policy-map global_policy
class inspection_default
  inspect h323 ras
policy-map global_policy
class inspection_default
  inspect rtsp
policy-map global_policy
class inspection_default
  inspect skinny  
policy-map global_policy
class inspection_default
  inspect sip  

Would you like to remove these commands? [Y]es/[N]o:Y
INFO: Removing incompatible commands from running configuration...

Cryptochecksum (changed): 4db7408e 08055134 c8166dd0 0df996e9
INFO: Done
ASA1(cfg-cluster)#
ASA1# show r              
WARNING: dynamic routing is not supported on management interface when cluster interface-mode is 'spanned'.  If dynamic routing is configured on any management interface, please remove it.

Cluster unit ASA1 transitioned from DISABLED to MASTER
5.备墙启用cluster
--主墙成为master之后,再启动备墙的cluster)
cluster group ccie
   enable as-slave
6.确定主备墙已经同步
---从提示信息很容易看出主备墙已经同步,备墙的名字也已经修改
Cryptochecksum (changed): 3e9aac34 ec41ad88 2706eab0 87928c1d
End configuration replication from Master.

Cluster unit ASA2 transitioned from DISABLED to SLAVE

ASA1(cfg-cluster)#

7.配置主墙接口
①配置Port-channel

interface Port-channel1
    port-channel span-cluster
    mac-address 0010.0010.0010
interface Ethernet0
    channel-group 1 mode active
    no shutdown
interface Port-channel2
    port-channel span-cluster
    mac-address 0011.0011.0011
interface Ethernet1
    channel-group 2 mode active
    no shutdown
interface Port-channel3
    port-channel span-cluster
    mac-address 0013.0013.0013
interface Ethernet2
    channel-group 3 mode active
    no shutdown
②只能在Port-channel口配置相关信息
interface Port-channel1
    nameif inside
    security-level 100
    ip address 192.168.1.10 255.255.255.0
interface Port-channel2
    nameif outside
    security-level 0
    ip address 202.100.1.10 255.255.255.0
interface Port-channel3
    nameif dmz
    security-level 50
    ip address 172.16.1.10 255.255.255.0
ip local pool mgmt-pool 10.1.1.2-10.1.1.3
interface Ethernet3
    management-only
    nameif mgmt
    security-level 100
     ip address 10.1.1.1 255.0.0.0 cluster-pool mgmt-pool
    no shutdown
三.验证cluster
1.主墙cluter状态

ASA1# show cluster info
Cluster ccie: On
    Interface mode: spanned
    This is "ASA1" in state MASTER
        ID        : 0
        Version   : 9.1(5)16
        Serial No.: JMX1203L0NN
        CCL IP    : 100.1.1.1
        CCL MAC   : 5000.0008.0004
        Last join : 07:34:08 UTC Jan 19 2020
        Last leave: N/A
Other members in the cluster:
    Unit "ASA2" in state SLAVE
        ID        : 1
        Version   : 9.1(5)16
        Serial No.: JMX1203L0NN
        CCL IP    : 100.1.1.2
        CCL MAC   : 5000.0009.0004
        Last join : 07:34:15 UTC Jan 19 2020
        Last leave: N/A
2.备墙cluter状态
ASA1# show cluster info
Cluster ccie: On
    Interface mode: spanned
    This is "ASA2" in state SLAVE
        ID        : 1
        Version   : 9.1(5)16
        Serial No.: JMX1203L0NN
        CCL IP    : 100.1.1.2
        CCL MAC   : 5000.0009.0004
        Last join : 07:35:12 UTC Jan 19 2020
        Last leave: N/A
Other members in the cluster:
    Unit "ASA1" in state MASTER
        ID        : 0
        Version   : 9.1(5)16
        Serial No.: JMX1203L0NN
        CCL IP    : 100.1.1.1
        CCL MAC   : 5000.0008.0004
        Last join : 07:34:08 UTC Jan 19 2020
        Last leave: N/A
ASA1#
3.查看交换机etherchannel情况
Switch#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator

        M - not in use, minimum links not met
        m - not in use, port not aggregated due to minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

        A - formed by Auto LAG


Number of channel-groups in use: 3
Number of aggregators:           3

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Gi0/0(P)    Gi1/0(P)   
2      Po2(SU)         LACP      Gi0/1(P)    Gi1/1(P)   
3      Po3(SU)         LACP      Gi0/2(P)    Gi1/2(P)   

Switch#
3.查看主墙port-channel情况
ASA1# show port-channel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 3
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)            LACP          Yes    Et0(P)   
2      Po2(U)            LACP          Yes    Et1(P)   
3      Po3(U)            LACP          Yes    Et2(P)   
ASA1#
4.查看备墙port-channel情况
ASA1# show port-channel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 3
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)            LACP          Yes    Et0(P)   
2      Po2(U)            LACP          Yes    Et1(P)   
3      Po3(U)            LACP          Yes    Et2(P)   
ASA1#
5.R10 telnet R1
R10#telnet 202.100.1.1
Trying 202.100.1.1 ... Open

User Access Verification

Password:
R11>show user
R11>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:55   
*  2 vty 0                idle                 00:00:00 192.168.1.1

  Interface    User               Mode         Idle     Peer Address

R11>
6.主墙上有会话信息
ASA1# show conn
10 in use, 10 most used
Cluster stub connections: 0 in use, 0 most used
TCP outside  202.100.1.1:23 inside  192.168.1.1:36047, idle 0:00:54, bytes 444, flags UIO
ASA1# show cluster conn
Usage Summary In Cluster:*********************************************
19 in use, stub connection 1 in use (cluster-wide aggregated)

ASA1(LOCAL):**********************************************************
10 in use, 10 most used, stub connection 0 in used, 0 most used

ASA2:*****************************************************************
9 in use, 9 most used, stub connection 1 in used, 1 most used

ASA1#

7.备墙上有也会话信息
ASA1# show conn
9 in use, 9 most used
Cluster stub connections: 1 in use, 1 most used
TCP outside  202.100.1.1:23 inside  192.168.1.1:36047, idle 0:01:05, bytes 0, flags  Y
ASA1# show cluster conn
Usage Summary In Cluster:*********************************************
19 in use, stub connection 1 in use (cluster-wide aggregated)

ASA2(LOCAL):**********************************************************
9 in use, 9 most used, stub connection 1 in used, 1 most used

ASA1:*****************************************************************
10 in use, 10 most used, stub connection 0 in used, 0 most used

ASA1#

本帖子中包含更多资源

您需要 思科 CCO 登录 才可以下载或查看,没有帐号?思科 CCO 注册   

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-16 11:18:29 | 显示全部楼层
多谢楼主的分享
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-2-28 16:23 , Processed in 0.091165 second(s), 33 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表