PIX failover 实验过程详解

一、实验设备

1、PIX515E-UR两台，软件版本：6.3

2、交换机两台

二、拓扑图

三、配置

部分配置省略：

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outs security0

nameif ethernet1 inside security100

ip address outs 192.168.18.201 255.255.255.0

ip address inside 1.1.1.1 255.255.255.0

failover

failover ip address outs 192.168.18.202

failover ip address inside 1.1.1.2

failover link inside

global (outs) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outs 0.0.0.0 0.0.0.0 192.168.18.1 1

telnet 0.0.0.0 0.0.0.0 inside

sho failover信息：在secondary PIX

开始时是primary PIX为active状态，secondary PIX 为standby状态。

pixfirewall# sho fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: 00:49:39 UTC Fri Jan 1 1993

This host: Secondary - Standby

Active time: 0 (sec)

Interface outs (192.168.18.202): Normal

Interface inside (1.1.1.2): Normal

Other host: Primary - Active

Active time: 1845 (sec)

Interface outs (192.168.18.201): Normal

Interface inside (1.1.1.1): Normal

Stateful Failover Logical Update Statistics

Link : inside

Stateful Obj xmit xerr rcv rerr

General 117 0 137 0

sys cmd 117 0 117 0

up time 0 0 0 0

xlate 0 0 4 0

tcp conn 0 0 16 0

udp conn 0 0 0 0

ARP tbl 0 0 0 0

RIP Tbl 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 133

Xmit Q: 0 1 117

经过15秒多状态切换过来！

是primary PIX为standby状态，secondary PIX 为active状态。

pixfirewall# sho fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: 01:32:20 UTC Fri Jan 1 1993

This host: Secondary - Active

Active time: 15 (sec)

Interface outs (192.168.18.201): Normal (Waiting)

Interface inside (1.1.1.1): Normal (Waiting)

Other host: Primary - Standby

Active time: 2580 (sec)

Interface outs (192.168.18.202): Normal

Interface inside (1.1.1.2): Link Down (Waiting)

Stateful Failover Logical Update Statistics

Link : inside

Stateful Obj xmit xerr rcv rerr

General 212 0 230 0

sys cmd 212 0 210 0

up time 0 0 0 0

xlate 0 0 4 0

tcp conn 0 0 16 0

udp conn 0 0 0 0

ARP tbl 0 0 0 0

RIP Tbl 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 226

Xmit Q: 0 1 212

注：1、在应用层IE浏览器几乎察觉不到切换。

2、实验参考：Cisco PIX Firewall and VPN Configuration Guide, Version 6.3中的Using PIX Firewall Failover部分。