2台6506-FWSM双active配置

两台catalyst6506的FWSM模块采用Active/Active模式，catalyst6506的所有端口全部应用于FWSM防火墙模块上，将不配置catalyst6506的MSFC。基本配置：VLAN接口安全级别用途3001100contextAinside接口3002100contextBinside接口20010contextAoutside接口20020contextBoutside接口11FAILOVER接口12STATEFULFAILOVER接口设备名称VLAN接口端口号IP地址Catalyst6506-13001G2/1-G2/23002无2001G2/3-G2/42002无11TrunkG2/5-G2/612设备名称VLAN接口端口号IP地址Catalyst6506-23001无3002G2/1-G2/22001无2002G2/3-G2/411TrunkG2/5-G2/612Catalyst6506-1配置：创建VLAN30013002200120021112只需要创建二层VLAN，不需要创建VLAN的SVI接口（如果不通过MSFC与防火墙接口路由的话）默认FWSM只允许与1个MSFC的SVI接口通信。vlan11namefailover_link!vlan12namestateful_link!vlan2001nameoutside_1-7609_1!vlan2002nameoutside_2-7609_2!vlan3001namefirewall_context_A!vlan3002namefirewall_context_B配置防火墙接口vlan-group组，并将vlan-group组对应的vlan加入到FWSMmodule中firewallmodule2vlan-group10firewallvlan-group1011,12,2001,2002,3001,3002firewallautostate-----------配置6506引擎与防火墙模块vlan状态自已同步，否则如果monitor的是outside接口，当outside接口down后，FWSM会侦听45秒左右再进行切换。配置port-channel并将接口划入VLAN、配置trunkinterfacePort-channel1descriptionCenter_7609_1switchportswitchportaccessvlan3001switchportmodeaccessnoipaddress!interfacePort-channel2descriptionInternet_7609_1switchportswitchportaccessvlan2001noipaddress!interfacePort-channel3descriptionTo_6506_2switchportswitchporttrunkencapsulationdot1qswitchportmodetrunknoipaddress!interfaceGigabitEthernet1/1switchportswitchportaccessvlan3001switchportmodeaccessnoipaddress!interfaceGigabitEthernet1/2switchportswitchportaccessvlan3001switchportmodeaccessnoipaddress!interfaceGigabitEthernet1/3switchportswitchportaccessvlan2001switchportmodeaccessnoipaddress!interfaceGigabitEthernet1/4switchportswitchportaccessvlan2001switchportmodeaccessnoipaddress!interfaceGigabitEthernet5/1switchportswitchporttrunkencapsulationdot1qswitchportmodetrunknoipaddresschannel-group3modeon!interfaceGigabitEthernet5/2switchportswitchporttrunkencapsulationdot1qswitchportmodetrunknoipaddresschannel-group3modeon6506FW-1防火墙配置：FWSMVersion3.2(2)system!resourceacl-partition12hostname6506FWenablepasswordQxFZMUs9g/z6.Ue0encrypted!创建VLAN接口并描述interfaceVlan11descriptionLANFailoverInterface!interfaceVlan12descriptionSTATEFailoverInterface!interfaceVlan2001!interfaceVlan2002!interfaceVlan3001!interfaceVlan3002!创建登陆密码、enablepasswordpasswdQxFZMUs9g/z6.Ue0encryptedenablepassword配置FW-1为lanunit的Active设备failoverlanunitprimary指定lan的failoverlink接口vlanfailoverlaninterfacefaillinkVlan11指定lan的statefullink接口vlanfailoverlinkstatelinkVlan12配置lan的failoverlink接口vlanIP地址failoverinterfaceipfaillink10.0.11.1255.255.255.0standby10.0.11.2配置lan的statefullink接口vlanIP地址failoverinterfaceipstatelink10.0.12.1255.255.255.0standby10.0.12.2failover-----------最后启动failover创建2个failovergroup分别为group1和group2failovergroup1primary-------设置为主group（缺省）preempt----设置抢占replicationhttp-------要求HTTPsession与standbyFWSM的group1自动复制failovergroup2secondary-----------设备辅助grouppreempt-------设备抢占replicationhttp-------要求HTTPsession与standbyFWSM的group2自动复制创建两个context分别为contextA和contextBadmin-contextcontextA-----------将contextA配置为admin-contextcontextcontextA----------创建contextAdescriptionadmin_context-------------描述allocate-interfaceVlan2001-----------将vlan2001划入contextAallocate-interfaceVlan3001---------------将vlan3001划入contextAconfig-urldisk:/admin.cfg-----------设置配置的存储路径，初始配置时此路由不存在，会提示将此路由设置为缺省路由join-failover-group1---------------将contextA加入group1中!contextadminconfig-urldisk:/admin.cfg!contextcontextB------------创建contextBdescriptioncontext_B-------------描述allocate-interfaceVlan2002-----------将vlan2021划入contextAallocate-interfaceVlan3002------------将vlan3002划入contextAconfig-urldisk:/contextB.cfg-----------设置配置的存储路径join-failover-group2--------------将contextB加入group2中以上配置完成后通过changetocontextcontextA和contextB命令分别进入contextA/B在contextA通过6506FW/contextA#changetosys回到contextA6506FW/contextA#shrun:Saved:FWSMVersion3.2(2)context!hostname6506fw-1enablepasswordQxFZMUs9g/z6.Ue0encryptednames!创建contextA的本地接口interfaceVlan2001descriptionto_internet_7609_1---------描述nameifoutside-----------配置此接口为outside接口，配置完成后security-level自动配置为0security-level0noipaddress!interfaceVlan3001nameifinside----------配置此接口为inside接口，配置完成后security-level自动配置为100security-level100ipaddress192.168.31.3255.255.255.0standby192.168.31.4配置IP地址!passwdQxFZMUs9g/z6.Ue0encryptedsame-security-trafficpermitinter-interface--------允许相同安全级别之间的vlan接口之间通信monitor-interfaceoutside-----------trackoutside接口进行主备切换icmppermitanyinside-----配置本接口可以响应ICMP数据包6506FW#changetocontextcontext--------------进入contextB6506FW/contextB#shrun:Saved:FWSMVersion3.2(2)context!hostnamecontextBenablepasswordQxFZMUs9g/z6.Ue0encryptednames!interfaceVlan2002descriptionto_internet_7609_2nameifoutsidesecurity-level0noipaddress!interfaceVlan3002nameifinsidesecurity-level100ipaddress192.168.32.3255.255.255.0standby192.168.32.4!passwdQxFZMUs9g/z6.Ue0encryptedsame-security-trafficpermitinter-interfacepagerlines24mtuoutside1500mtuinside1500monitor-interfaceoutsidemonitor-interfaceinsideicmppermitanyinsidetelnet0.0.0.00.0.0.0inside6506-2配置创建VLAN30013002200120021112vlan11namefailover_link!vlan12namestateful_link!vlan