一、实验设备

1、PIX515E-UR两台，软件版本：6.3

2、交换机两台

二、拓扑图

三、配置

部分配置省略：

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outs security0
nameif ethernet1 inside security100
ip address outs 192.168.18.201 255.255.255.0
ip address inside 1.1.1.1 255.255.255.0
failover
failover ip address outs 192.168.18.202
failover ip address inside 1.1.1.2
failover link inside
global (outs) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outs 0.0.0.0 0.0.0.0 192.168.18.1 1
telnet 0.0.0.0 0.0.0.0 inside

sho failover信息：在secondary PIX

开始时是primary PIX为active状态，secondary PIX 为standby状态。

pixfirewall#  sho fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 00:49:39 UTC Fri Jan 1 1993
        This host: Secondary - Standby
                Active time: 0 (sec)
                Interface outs (192.168.18.202): Normal
                Interface inside (1.1.1.2): Normal
        Other host: Primary - Active
                Active time: 1845 (sec)
                Interface outs (192.168.18.201): Normal
                Interface inside (1.1.1.1): Normal

Stateful Failover Logical Update Statistics
        Link : inside
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         117        0          137        0        
        sys cmd         117        0          117        0        
        up time         0          0          0          0        
        xlate           0          0          4          0        
        tcp conn        0          0          16         0        
        udp conn        0          0          0          0        
        ARP tbl         0          0          0          0        
        RIP Tbl         0          0          0          0        
             
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       1       133
        Xmit Q:         0       1       117

经过5秒左右状态切换过来！

是primary PIX为standby状态，secondary PIX 为active状态。

pixfirewall#  sho fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 01:32:20 UTC Fri Jan 1 1993
        This host: Secondary - Active
                Active time: 15 (sec)
                Interface outs (192.168.18.201): Normal (Waiting)
                Interface inside (1.1.1.1): Normal (Waiting)
        Other host: Primary - Standby
                Active time: 2580 (sec)
                Interface outs (192.168.18.202): Normal
                Interface inside (1.1.1.2): Link Down (Waiting)

Stateful Failover Logical Update Statistics
        Link : inside
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         212        0          230        0        
        sys cmd         212        0          210        0        
        up time         0          0          0          0        
        xlate           0          0          4          0        
        tcp conn        0          0          16         0        
        udp conn        0          0          0          0        
        ARP tbl         0          0          0          0        
        RIP Tbl         0          0          0          0        

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       1       226
        Xmit Q:         0       1       212

注：1、在应用层几乎察觉不到切换

         2、实验参考：Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 中的Using PIX Firewall Failover部分