PIX Stateful Failover

Discussion in 'Cisco' started by Bob the Builder, Jan 6, 2005.

  1. Hi,
    I want to set this up. The documents contradict each other: some say you
    need to connect the failover interfaces via a switch/hub and others say use
    a crossover cable. Surely, introducing a switch just adds another point of
    failure? If the switch should die - and it would be a cheap non redundant
    switch with two connections like a 2950-12 - it will isolate the PIX's.
    However, some of the docs seem to suggest that failover will not be
    supported by Cisco unless a switch is used??????

    I could use two ports on my highly resilient 6513's and put the failover
    interfaces in a VLAN on one of them. However, that would remove some of the
    security since I have read that this would leave me open to "vlan hopping".
    What do you think?

    I have seen that you can use the LAN for stateful info and the blue failover
    cable to detect if power on the primary fails. I am consdiering going about
    my configuration this way. Does that sound good? Indeed, I have seen that
    some guys have used the outside or inside interfaces for the stateful
    interfaces in lightly loaded configurations.

    Thanking you.
    Roberto
     
    Bob the Builder, Jan 6, 2005
    #1
    1. Advertisements

  2. Bob the Builder

    B. Gray Guest

    Hey Bob,

    I've never tried it but in reading you can do both - the failover cable or
    use a switch. I believe it's recommended to put them on a seperate vlan, but
    I'd be interested to hear your setup after its complete.
     
    B. Gray, Jan 7, 2005
    #2
    1. Advertisements

  3. cisco-forum.com, Jan 7, 2005
    #3
  4. :I could use two ports on my highly resilient 6513's and put the failover
    :interfaces in a VLAN on one of them. However, that would remove some of the
    :security since I have read that this would leave me open to "vlan hopping".
    :What do you think?

    Cisco fixed the VLAN leaking problems long ago. Beyond that it's
    a matter of managing your ports properly. One of Cisco's presentations
    says to:

    o ALWAYS use a dedicated VLAN ID for trunk ports
    o Disable unused ports and put them in an unused VLAN
    o Be paranoid: Do not use VLAN 1 for anything
    o Set all user ports to non-trunking (DTP off)

    The same paper notes that DTP and CDP -always- use VLAN 1,
    even if VLAN 1 is specifically disallowed from the trunk port.

    http://www.cisco.com/global/FR/docu...hitecture/RDV_Archi_IBNS_18_12_jbarozet_1.pdf
     
    Walter Roberson, Jan 7, 2005
    #4
  5. Bob the Builder

    AJN Guest

    Hi,

    LAN-based failover is used to eliminate the distance limitation (6feet with
    failover serial cable) and the standby can use a virtual MAC address, then
    the failover serial cable is not required.

    LAN-based failover can be configured either directly using a simple CAT5
    crossover cable or via a switch, and it's recommended to dedicate a VLAN for
    statefull failover connection.

    Security considerations are as following:

    - Separate the new VLAN from VLAN 1 which must be reserved only for later 2
    protocol communication between devices (CDP, VTP, PAgP, DTP).

    - Enable portfast on the switch port, to avoid additional time to bring the
    port to forwarding state.

    - Disable trunk on that port.

    - Disable port channel on that port.
     
    AJN, Jan 7, 2005
    #5
  6. The Green Manalishi, Jan 7, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.