отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

Проблема с ASA transparent firewall с failover active/standby и STP LOOP-Guard

Доброе утро коллеги !

Имеется следующая схема (во вложении)

 

Конфиг с asf-1:

ASA Version 9.1(5)
!
firewall transparent
hostname asf-1

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description Po1-inside
 channel-group 1 mode active
 no nameif
 no security-level
!
interface GigabitEthernet0/1
 description Po1-inside
 channel-group 1 mode active
 no nameif
 no security-level
!
interface GigabitEthernet0/2
 description Po2-outside
 channel-group 2 mode active
 no nameif
 no security-level
!
interface GigabitEthernet0/3
 description Po2-outside
 channel-group 2 mode active
 no nameif
 no security-level
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
!
interface GigabitEthernet1/0
 description LAN Failover Interface
!
interface GigabitEthernet1/1
 description STATE Failover Interface
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
!
interface BVI2
 ip address 10.0.204.254 255.255.255.0 standby 10.0.204.253
!
interface BVI100
 description ## management
 ip address 172.16.199.55 255.255.255.0 standby 172.16.199.56
!
interface Port-channel1
 no nameif
 no security-level
!
interface Port-channel1.199
 description Management
 vlan 199
 nameif management
 bridge-group 100
 security-level 100
!
interface Port-channel1.2004
 vlan 2004
 nameif inside-vlan-2004
 bridge-group 2
 security-level 100
!
interface Port-channel2
 no nameif
 no security-level
!
interface Port-channel2.204
 vlan 204
 nameif outside-vlan-204
 bridge-group 2
 security-level 0
!
ftp mode passive
access-list outside-204-in extended deny tcp any host 10.0.204.200 eq 3389
access-list outside-204-in extended permit ip any any
access-list test extended permit ip any any
access-list stp ethertype permit bpdu
access-list stp ethertype permit any
pager lines 24
logging enable
logging trap notifications
mtu management 1500
mtu inside-vlan-2004 1500
mtu outside-vlan-204 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/0
failover polltime unit msec 200 holdtime msec 999
failover polltime interface msec 500 holdtime 5
failover key *****
failover link state GigabitEthernet1/1
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip state 1.1.2.1 255.255.255.252 standby 1.1.2.2
monitor-interface inside-vlan-2004
monitor-interface outside-vlan-204
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group stp in interface inside-vlan-2004
access-group stp out interface inside-vlan-2004
access-group stp in interface outside-vlan-204
access-group stp out interface outside-vlan-204
access-group outside-204-in in interface outside-vlan-204
route management 0.0.0.0 0.0.0.0 172.16.199.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6958d361d20b413fe883c7f40d58f019
: end

 

##

 

На asf-2:

 

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1/0
failover polltime unit msec 200 holdtime msec 999
failover polltime interface msec 500 holdtime 5
failover key *****
failover link state GigabitEthernet1/1
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip state 1.1.2.1 255.255.255.252 standby 1.1.2.2

 

 

###

 

asf-1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1/0 (up)
Unit Poll frequency 200 milliseconds, holdtime 999 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 410 maximum
Version: Ours 9.1(5), Mate 9.1(5)
Last Failover at: 08:22:13 UTC Jul 1 2015
        This host: Primary - Active
                Active time: 90 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/9.1(5)) status (Up Sys)
                  Interface management (172.16.199.55): Normal (Not-Monitored)
                  Interface inside-vlan-2004 (10.0.204.254): Normal (Waiting)
                  Interface outside-vlan-204 (10.0.204.254): Normal (Monitored)
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Secondary - Failed
                Active time: 340 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/9.1(5)) status (Up Sys)
                  Interface management (172.16.199.56): Normal (Not-Monitored)
                  Interface inside-vlan-2004 (10.0.204.253): Failed (Waiting)
                  Interface outside-vlan-204 (10.0.204.253): Normal (Monitored)
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : state GigabitEthernet1/1 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         24757      0          8899       0
        sys cmd         8629       0          8629       0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        294        0          12         0
        UDP conn        8941       0          84         0
        ARP tbl         3352       0          84         0
        L2BRIDGE Tbl    3541       0          89         0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   0          0          1          0
        CTS SGTNAME     0          0          0          0
        CTS PAC         0          0          0          0
        TrustSec-SXP    0          0          0          0
        IPv6 Route      0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       4       332824
        Xmit Q:         0       1       59517

 

при этом на core1 видим следующее :

 

core-1#sh spanning-tree int po7

Vlan             Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0199         Desg FWD 3         128.664  P2p
VLAN2004         Desg BKN*3         128.664  P2p *LOOP_Inc

 

core-1#sh spanning-tree inconsistentports

Name                 Interface              Inconsistency
-------------------- ---------------------- ------------------
VLAN2004             Port-channel7          Loop Inconsistent

Number of inconsistent ports (segments) in the system : 1

 

018067: Jul  1 11:34:38.236 MSK: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel7 on VLAN2004.

 

####

Acl для permit BPDU создал, толку нет.

Что скажите ?

 

 

 

  • Безопасность (Security)
1 ОТВЕТ
New Member

Добавил на транковых портах

Добавил на транковых портах core1/core2 для inside/outside ASA - stp portfast trunk... 
Но это как-то не комильфо.. 

124
Просмотры
0
Полезный материал
1
Ответы