Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > pix failover question

Reply
Thread Tools

pix failover question

 
 
David Smith
Guest
Posts: n/a
 
      02-20-2004
I have read CISCO guide about how to use pix failover. Here are still
a few questions:

1. same version, I have one version 6.3 (2) and the ohter is 6.3 (3).
is it ok for failover.

2. stateful failover:

1) do we need any configuration on the 2nd unit for stateful failover?
if not, just wondering how replication will happen since there is no
config on the 2nd unit at all including interface type.
2) for stateful failover, we only need a crossover cable, not the
failover cable, right?
3) can we connect the two units with both the failover cable (Primary
and secondary on both ends) and crossover cable for failover interface
(for stateful)?
3) should we config unused interface and connect both unused interface
with crossover cable?

TIA

 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      02-20-2004

"David Smith" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have read CISCO guide about how to use pix failover. Here are still
> a few questions:
>
> 1. same version, I have one version 6.3 (2) and the ohter is 6.3 (3).
> is it ok for failover.


No , you need the same version on both

>
> 2. stateful failover:
>
> 1) do we need any configuration on the 2nd unit for stateful failover?
> if not, just wondering how replication will happen since there is no
> config on the 2nd unit at all including interface type.


You only need to configure the Primary unit . When doing a "wr mem" the
config
will be synchronised with the Secondary through the failover cable.


> 2) for stateful failover, we only need a crossover cable, not the
> failover cable, right?


No , you always need the failover cable .

> 3) can we connect the two units with both the failover cable (Primary
> and secondary on both ends) and crossover cable for failover interface
> (for stateful)?


Not only you can , but you have to if you want to have stateful failover .
But you could also work with only the failover cable without stateful .
Without stateful , if you one unit fails existing connection are lost and
have to be
rebuild by the other unit . In stateful mode all existing connections are
transfered
to the failover unit through the cross-over cable

> 3) should we config unused interface and connect both unused interface
> with crossover cable?


No , you can just keep them "shutdown"


>
> TIA
>



 
Reply With Quote
 
 
 
 
Jason Kau
Guest
Posts: n/a
 
      02-21-2004
mcaissie <(E-Mail Removed)> wrote:
>> 2) for stateful failover, we only need a crossover cable, not the
>> failover cable, right?

>
> No , you always need the failover cable .


No you don't. Read the documentation:

http://www.cisco.com/univercd/cc/td/...over.htm#23601

Failover Link

The two units constantly communicate over a failover link to determine
each unit's operating status. Communications over the failover link
include:

* The unit state (active or standby)
* The power status (cable-based failover only)
* Hello messages (also sent on all other interfaces)
* Configuration synchronization between the two units (see the
"Configuration Replication" section for more information).

The failover link can be one of the following connections:

* Serial failover cable ("cable-based failover").If the two units are
within six feet of each other, then we recommend that you use the serial
failover cable. Using this cable allows the firewall to sense a power loss
of the peer unit, and to differentiate a power loss from an unplugged
cable. The cable is a modified RS-232 serial link cable that transfers
data at 117,760 bps (115 Kbps). One end is labeled "Primary" and attaches
to the primary unit, while the other end is labeled "Secondary" and
attaches to the secondary unit. If you purchased a PIX Firewall failover
bundle, this cable is included. To order a spare, use part number PIX-FO.
* Ethernet connection ("LAN-based failover").You can use any unused
Ethernet interface on the device. If the units are further than six feet
apart, use this method. We recommend that you connect this link through a
dedicated switch. You cannot use a crossover Ethernet cable to link the
units directly.

The disadvantages of using LAN-based failover include:

o The PIX Firewall cannot immediately detect the loss of power
of a peer, so the PIX Firewall takes longer to fail over in this case.
o You need to configure the failover link on the standby unit
before it can communicate with the active unit.

In cable-based failover, the standby unit can communicate directly with
the active unit, and can receive the entire configuration before enabling
any interfaces or setting IP addresses.

o The switch between the two units can be another point of
hardware failure.
o You have to dedicate an Ethernet interface (and switch ports)
to the failover link, and the interface cannot be used for regular
traffic.

The benefits include:

o Separation of the units by more than 6 feet.
o Faster configuration replication.

State Link

For Stateful Failover, you must use an Ethernet link to pass state
information. The PIX Firewall supports the following Ethernet interface
settings for the state link:

* Fast Ethernet (100BASE-T) full duplex
* Gigabit Ethernet (GE) (1000BASE-T) full duplex
Note On a PIX 535 with GE interfaces, you must use a GE
interface as the state link.

We recommend that you use a crossover cable to directly connect the units.
You can also use a switch between the units. No hosts or routers should be
on this link.

If the two units are more than six feet apart, you can use the same
Ethernet state link as the failover link, but we recommend that you use a
separate Ethernet link if available. If they are closer than 6 feet, we
recommend that you use the serial failover cable as the failover link.
Note If you use the same link for both state and failover, you
cannot use a crossover cable.

--
Jason Kau
http://www.velocityreviews.com/forums/(E-Mail Removed) IS FOR EMAIL
(E-Mail Removed) IS FOR SPAM
http://www.cnd.gatech.edu/~jkau
 
Reply With Quote
 
David Smith
Guest
Posts: n/a
 
      02-22-2004
Thank you both of your input.

I am confused with cisco guide (using pix failover) chapter 10.

on page 10-27 step 2:

"if there are any interface that have not been configued in the
non-failover setup. config them at this time with an ip address and a
failover ip address. also leave the unused interface unconnected."

on page 10-28 after step 6.

" note:
Pix firewall requies that unused interfaces be connected to the
standby unit and that each unused interface be assigned an ip address.
even if an interface is administatively shutdown, the pix firewall
will try to send failover check up messages to all internal
interface."


On Sat, 21 Feb 2004 05:52:26 +0000 (UTC), Jason Kau
<(E-Mail Removed)> wrote:

>mcaissie <(E-Mail Removed)> wrote:
>>> 2) for stateful failover, we only need a crossover cable, not the
>>> failover cable, right?

>>
>> No , you always need the failover cable .

>
>No you don't. Read the documentation:
>
>http://www.cisco.com/univercd/cc/td/...over.htm#23601
>
>Failover Link
>
>The two units constantly communicate over a failover link to determine
>each unit's operating status. Communications over the failover link
>include:
>
> * The unit state (active or standby)
> * The power status (cable-based failover only)
> * Hello messages (also sent on all other interfaces)
> * Configuration synchronization between the two units (see the
>"Configuration Replication" section for more information).
>
>The failover link can be one of the following connections:
>
> * Serial failover cable ("cable-based failover").If the two units are
>within six feet of each other, then we recommend that you use the serial
>failover cable. Using this cable allows the firewall to sense a power loss
>of the peer unit, and to differentiate a power loss from an unplugged
>cable. The cable is a modified RS-232 serial link cable that transfers
>data at 117,760 bps (115 Kbps). One end is labeled "Primary" and attaches
>to the primary unit, while the other end is labeled "Secondary" and
>attaches to the secondary unit. If you purchased a PIX Firewall failover
>bundle, this cable is included. To order a spare, use part number PIX-FO.
> * Ethernet connection ("LAN-based failover").You can use any unused
>Ethernet interface on the device. If the units are further than six feet
>apart, use this method. We recommend that you connect this link through a
>dedicated switch. You cannot use a crossover Ethernet cable to link the
>units directly.
>
>The disadvantages of using LAN-based failover include:
>
> o The PIX Firewall cannot immediately detect the loss of power
>of a peer, so the PIX Firewall takes longer to fail over in this case.
> o You need to configure the failover link on the standby unit
>before it can communicate with the active unit.
>
>In cable-based failover, the standby unit can communicate directly with
>the active unit, and can receive the entire configuration before enabling
>any interfaces or setting IP addresses.
>
> o The switch between the two units can be another point of
>hardware failure.
> o You have to dedicate an Ethernet interface (and switch ports)
>to the failover link, and the interface cannot be used for regular
>traffic.
>
>The benefits include:
>
> o Separation of the units by more than 6 feet.
> o Faster configuration replication.
>
>State Link
>
>For Stateful Failover, you must use an Ethernet link to pass state
>information. The PIX Firewall supports the following Ethernet interface
>settings for the state link:
>
> * Fast Ethernet (100BASE-T) full duplex
> * Gigabit Ethernet (GE) (1000BASE-T) full duplex
> Note On a PIX 535 with GE interfaces, you must use a GE
>interface as the state link.
>
>We recommend that you use a crossover cable to directly connect the units.
>You can also use a switch between the units. No hosts or routers should be
>on this link.
>
>If the two units are more than six feet apart, you can use the same
>Ethernet state link as the failover link, but we recommend that you use a
>separate Ethernet link if available. If they are closer than 6 feet, we
>recommend that you use the serial failover cable as the failover link.
> Note If you use the same link for both state and failover, you
>cannot use a crossover cable.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cisco ASA/PIX failover and VPN, failover IP access problem Pit Cisco 0 08-27-2008 03:34 PM
PIX with Failover license temporary use as Full PIX Tom Pouce Cisco 6 09-21-2005 08:54 AM
[newbie]Pix 515 - How to recognize Pix version : failover or restricted or UR officemicro1999@yahoo.fr Cisco 1 09-11-2005 10:21 PM
Stateful NAT failover = yes. Stateful CBAC failover = ???? Alec Waters Cisco 0 06-09-2004 01:38 PM
Pix 535 Failover bundle/DSL question Mike Harrison Cisco 2 07-13-2003 07:34 PM



Advertisments