cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
5
Replies

firewall failover

adamgibs7
Level 6
Level 6

Dears
 
Please find the attached topology.
 
I have some problem in understanding the fail over, whenever the port channel interface of DC-1 fails it shifts over to DC-2 FW but the perimeter firewalls doesn't shift and the traffic gets drops, hence if I m not wrong bydefault the failover should happen on perimeter as well please confirm

 

thanks

2 Accepted Solutions

Accepted Solutions

Abheesh Kumar
VIP Alumni
VIP Alumni

Hi,

As per you topology you need a switch in between DC-FW & INT-FW. Because when ever your AorB interface went down DC-FW switch-over and it will not affect the INT-FW because your C,D,E,F interface are UP.

INT-FW Switch over occurs only when  C,D,E,F interface went down. 

 

HTH

Abheesh 

View solution in original post

There is always more than one solution ... But in this scenario, the switch between the two firewall systems is the most common one and proven to work as expected.

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Can you please clarify Which Port-channel we are referring ?

As long you are monitoring is configured with right interfaces and the failover condition met the requirements, it automatically fail-over to standby.

 

To confirm we need to understand your configuration also along with your diagram.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Fo me it looks like "works as designed" ...

 The INT-FW are probably the perimeter firewalls in your description. These have no clue that there is a change in upstream-reachability. Because these are independent systems, you should make sure that both INTFW can equally reach both DC1 and DC2 firewalls. Typically you achieve this with an additional (redundant) switch between these firewall systems.

Dear

so you are confirming that we need a switch in between the DC firewall and Perimeter firewall to address such issue, there is no other solution that can help to solve this problem.

 

Please advice.

There is always more than one solution ... But in this scenario, the switch between the two firewall systems is the most common one and proven to work as expected.

Abheesh Kumar
VIP Alumni
VIP Alumni

Hi,

As per you topology you need a switch in between DC-FW & INT-FW. Because when ever your AorB interface went down DC-FW switch-over and it will not affect the INT-FW because your C,D,E,F interface are UP.

INT-FW Switch over occurs only when  C,D,E,F interface went down. 

 

HTH

Abheesh 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: