2010年3月31日 星期三

Heartbeat HA 設定摘要-以HTTP服務為例

環境說明:
以兩台主機做 HA,當一設備無法提供服務後,另一台自動提供服務

OS: CentOS 5.1
兩部主機 master,slave 及相關 IP 如下
master: 192.168.6.103
slave: 192.168.6.102
服務 ip: 192.168.6.104
ping_ip: 192.168.6.253
提供服務 http
master、slave /etc/hosts 加入下面內容
192.168.6.103 master
192.168.6.102 slave


1.master、slave 安裝 heartbeat
yum install heartbeat


2.master、slave 設定 authkeys
新增 /etc/ha.d/authkeys 內容如下
auth 1
1 sha1 YourSecreKey

改變權限
chmod 600 /etc/ha.d/authkeys


3.master、slave 設定 ha.cf
新增 /etc/ha.d/ha.cf 內容
# File to write other messages
logfile /var/log/ha.log

# Facility to use for syslog()/logger
logfacility local0

# keepalive: how long between heartbeats?
keepalive 2

#deadtime: how long-to-declare-host-dead?
deadtime 30

# Very first dead time (initdead)
initdead 120

# What interfaces to broadcast heartbeats over?
bcast eth0

# What UDP port to use for bcast/ucast communication?
udpport 694

# auto_failback: determines whether a resource will
# automatically fail back to its "primary" node, or remain
# on whatever node is serving it until that node fails, or
# an administrator intervenes.
#
# The possible values for auto_failback are:
# on - enable automatic failbacks
# off - disable automatic failbacks
# legacy - enable automatic failbacks in systems
# where all nodes do not yet support
# the auto_failback option.
auto_failback on

# Tell what machines are in the cluster
# node nodename ... -- must match uname -n
node master
node slave

# Treats IP as a psuedo-cluster-member
# Used together with ipfail below...
# note: don't use a cluster node as ping node
ping 192.168.6.253

# Processes started and stopped with heartbeat. Restarted unless
# they exit with rc=100
respawn hacluster /usr/lib/heartbeat/ipfail

# Access control for client api
# default is no access
apiauth ipfail gid=haclient uid=hacluster


4.master、slave 設定 haresources
新增 /etc/ha.d/haresources 內容
# HA 的主要電腦的 hostname 虛擬介面 IP 服務名稱
server1 192.168.6.104 httpd


其他說明
1.當master 上線時,master ping ping_ip 可以回應,但 master 上 httpd 因故發生無法服務的狀態時,httpd 服務並不會自動轉移至 slave。
2.防火牆相關設定: udp/694

2010年3月15日 星期一

Running LEAF over a serial link

1.修改/etc/inittab 加入下面內容
ttyS0::respawn:/sbin/getty -L ttyS0 19200 vt100
ttyS1::respawn:/sbin/getty -L ttyS1 19200 vt100

2.修改 syslinux.cfg 修改 append 加入下面內容
append=... console=tty0 console=ttyS0,19200n8

3.重新開機

Netstat-nat 摘要

Netstat-nat 摘要
1.執行環境 Linux Kernel > 2.4.x
2.顯示 netfilter/iptables 管理的 NAT 連線資訊。
3.主要讀取 /proc/net/ip_conntrack 內容。

參數說明
-hdisplays help
-ndon't resolve IPs/ports to host/portnames.
-p 'protocol' (tcp udp icmp raw)display NAT connections with protocol selection.
-s 'source host'display connections by source IP/hostname.
-d 'destination host'display connections by destination IP/hostname.
-S display SNAT connections
-Ddisplay DNAT connections
-Ldisplay only connections to NAT box self (disables display of SNAT & DNAT)
-Rdisplay only connections routed through the NAT box (doesn't show SNAT & DNAT)
-x extended view of hostnames
-r src dst src-port dst-port state sort connections
-o strip output-header
-N display NAT box connection information (IP and port) for NATing iface (only valid with SNAT & DNAT)
-v version

狀態說明
ASSURED連線已沒有流量
CLOSE關閉連線
ESTABLISHED已經建立連線且正在使用中
FIN_WAIT已經關閉的連線
SYN_RECV觀察連線等待 TCP SYN 封包
SYN_SENT觀察連線發送 TCP SYN 封包
TIME_WAIT類似 CLOSE_WAIT,但本質上比較像逾時(time out)
UNREPLIED連線還沒有收到任何回應



參考
http://tweegy.nl/projects/netstat-nat/

2010年3月10日 星期三

Cisco ASA 5550 LAN-Based Active/Standby Failover設定筆記

連接方式
Primary GigabitEthernet0/0 <----> Secondary GigabitEthernet0/0
Primary GigabitEthernet0/1 <----> Secondary GigabitEthernet0/1
Primary GigabitEthernet0/2 <----> Secondary GigabitEthernet0/2
Primary GigabitEthernet0/3 <----> Secondary GigabitEthernet0/3
Primary GigabitEthernet0/4 <----> Secondary GigabitEthernet0/4



Primary 的設定
需要 Failover 界面的設定如下
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.6.100 255.255.255.0 standby 192.168.6.101
!
interface GigabitEthernet0/1
nameif inside
security-level 50
ip address 192.168.9.253 255.255.255.0 standby 192.168.9.252
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/3
no shutdown

filover功能的相關設定
failover lan unit primary

//設定 failove link
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

//設定 failove state
failover link state GigabitEthernet0/2
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

failover

copy running-config startup-config


Secondary的設定
failover lan interface failover gigabitether0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
interface gigabitEthernet 0/3
no shutdown
exit
failover lan unit secondary
failover

copy running-config startup-config


相關指令
show failover
show failover state
show failover interface
show monitor-interface

CISCO EtherChannel 設定筆記

硬體連結方式
Cisco 3750G gigabitether1/0/1<--->Cisco 2960G gigabitether0/1
Cisco 3750G gigabitether1/0/2<--->Cisco 2960G gigabitether0/2

Cisco 3750G 的設定
interface gigabitether1/0/1
channel-group 1 mode on

interface gigabitether1/0/2
channel-group 1 mode on

Cisco 2690G 的設定
interface gigabitether0/1
channel-group 1 mode on

interface gigabitether0/2
channel-group 1 mode on


其他說明
執行 channel-group 後會建立 Port-Channel interface
取消 PortChannel interface 執行 no interface Port-Channel


相關檢查指令
show interface port-channel
show etherchannel
show spanning-tree

Cisco IOS 命名規則

分析IOS的命名規則,可拆解成AAAAA-BBBB-CC-DDDD.EE五大部分。

AAAAA 代碼的意義:適用於何種設備的IOS

BBBB 相關代碼的功能意義
a
Advanced Peer-to-Peer Networking(APPN)
j
企業版
i
IP
ipbase
IP BASE
i3
簡化過的ISO,没有BGP、EBP、NHRP
i5
具有VoFR的IP
k8
IPSec 56
k9
IPSec 3DES
o
IOS防火牆
o3
具有IDS、SSH功能的防火牆
s
具有(NAT、IBM、VPDN、VoIP)
v
VIP
v5
VoIP
x3
語音功能


CC 相關代碼的功能意義
第一個 "C" 說明IOS的檔案的在路由器中以何種方式運行。
f
flash
m
RAM
r
ROM

第二個 "C" 說明IOS的檔案以何種方式壓縮。
z
zip壓縮
x
mzip壓縮
w
stac壓縮


DDDD 代碼的意義:
IOS的版本

EE 代碼的意義:此版本IOS的第幾個維護版本。