等待中的Cisco故障转移接口
下面的场景是,我从ISP获得1G铜Cat6电缆,并在我的Gi0/8接口上的Cisco防火墙上直接终止,并且我已经配置了failover现在的故障转移输出它正在监视状态(waiting),因为它们来自ISP的不同路由器,如何解决这个问题而不引入ISP和我的ASA之间的L2交换机?
我不能从ASA-2公共IP的外部接口从ASA-1,我确定,因为我看到状态等待,但还有其他工作吗?我在ASA上有很多免费的1G接口,我能创建特殊的VLAN和路由之间的流量吗?
asa-1/sec/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FailoverLink Redundant1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 1049 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(3)1, Mate 9.6(3)1
Serial Number: Ours AAAAAA, Mate BBBBBB
Last Failover at: 00:41:50 UTC Mar 9 2018
This host: Secondary - Active
Active time: 504599 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (2.0/9.6(3)1) status (Up Sys)
Interface management (10.x.x.118): Normal (Monitored)
Interface outside (74.xx.xx.110): Normal (Waiting)
Interface inside (74.xx.xx.10): Normal (Monitored)
slot 1: empty
Other host: Primary - Failed
Active time: 12 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (1.3/9.6(3)1) status (Up Sys)
Interface management (10.x.x.119): Normal (Monitored)
Interface outside (74.xx.xx.109): Failed (Waiting)
Interface inside (74.xx.xx.11): Normal (Monitored)
slot 1: emptyASA-2
asa-2/pri/stby# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FailoverLink Redundant1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 1049 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(3)1, Mate 9.6(3)1
Serial Number: Ours BBBBBB, Mate AAAAA
Last Failover at: 00:42:40 UTC Mar 9 2018
This host: Primary - Standby Ready
Active time: 12 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (1.3/9.6(3)1) status (Up Sys)
Interface management (10.x.x.119): Normal (Monitored)
Interface outside (74.xx.xx.109): Normal (Waiting)
Interface inside (74.xx.xx.11): Normal (Monitored)
slot 1: empty
Other host: Secondary - Active
Active time: 506081 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (2.0/9.6(3)1) status (Up Sys)
Interface management (10.x.x.118): Normal (Monitored)
Interface outside (74.xx.xx.110): Normal (Waiting)
Interface inside (74.xx.xx.10): Normal (Monitored)
slot 1: empty接口配置:
首先我配置了故障转移,然后运行这个命令--在本例中,它将在备用ASA-2上设置.109 ip,对吗?
!
interface GigabitEthernet0/0
description 1G_HANDOFF
nameif outside
security-level 0
ip address 74.xx.xx.110 255.255.255.248 standby 74.xx.xx.109
!故障转移配置:
asa-1/sec/act# sh run failover
failover
failover lan unit primary
failover lan interface FailoverLink Redundant1
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover link FailoverLink Redundant1
failover interface ip FailoverLink 192.168.100.1 255.255.255.0 standby 192.168.100.2回答 2
Network Engineering用户
发布于 2018-03-15 08:53:51
要解决这个问题,至少需要在两者之间设置一个L2开关。
如果您想运行两个ISP,您可以使用另一个主/物理接口并在该L2交换机上终止它,然后在L2交换机上使用不同VLAN的ISP之间分离L2通信量(连接到防火墙的L2交换机上的端口是访问端口)。
另一种运行双is的方法是在主接口G0/0下创建两个子接口。连接到防火墙的L2交换机上的端口现在是主干端口(使用VLAN将两个ISP之间的L2通信分开)。
Network Engineering用户
发布于 2018-03-14 20:42:04
您没有在故障转移配置中使用ASA,所以不应该这样配置它们。使用以下命令
no failover如果您的目标是拥有一个主链路和一个备份链接,oyu可以使用来自ISP的BGP路由注入默认路由,也可以配置IP SLA并以这种方式注入路由。
https://networkengineering.stackexchange.com/questions/49114
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号