Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
6
Replies

firewall failove

Go to solution
mirehteshamali
Level 1
Level 1

‎03-04-2011 10:43 PM - edited ‎03-11-2019 01:01 PM

    hi all,

i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .

example

interface Ethernet0/0
nameif outside
security-level 0
ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2
!
interface Ethernet1/0
nameif inside
security-level 100
ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11

question :

default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .

in this case the secondary ip add 10.0.0.11 is actually nerver used  ?

similarly do i need to have two public ip address for outside (one for primary and one for secondary )   ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.

is my logic correct ?

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to mirehteshamali

‎03-05-2011 09:43 AM

Hi,

The problem is that the IP has to be on same broadcast domain, so you may to make your mask on the outside bigger, it will not match with the one with your ISP but other than that you wont have any issues.

Mike

Mike

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎03-04-2011 10:48 PM

Hello and Thanks for posting.

In a matter of speaking yes, the secondary IP's are never used. But they are used at the same time. You see, the only way that the firewall can know that an interface is down is doing the hello packets. This packets are sent to the standby IP and from the standby to the primary. In the moment that one of the IP´s stop responding, the failover will occurr, that is mostlikely the use of the secondary IP.

If you like, you wouldnt need to have sencondary IP's, you can use just the no monitor interface command and that way you wouldnt need to use them. However, it is not a best practice because you wont be able to determine if there is an interface problem.

I hope this is helpful, Any questions let me know.

Mike Rojas

Mike
0 Helpful

Go to solution
mirehteshamali
Level 1
Level 1
In response to Maykol Rojas

‎03-04-2011 10:58 PM

thanks for prompt reply

can i say no monitor outside

OR

use any dummy ip for secondary (may be this ip is allocated to another costomer by the isp but i dont care as i m using it internally  but as for as "global presence / reach is concerned i have one ip for me " ) and still continue with one ip for outside as secondary is never used for connectivity or rechability .

thanks

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to mirehteshamali

‎03-04-2011 11:00 PM

Hi,

If you dont have an available IP, first option would be better, never thought of the second one, but I guess you can do something like that

Cheers

Mike

Mike
0 Helpful

Go to solution
mirehteshamali
Level 1
Level 1
In response to Maykol Rojas

‎03-05-2011 01:35 AM

Any one can confirm that to me ,

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to mirehteshamali

‎03-05-2011 09:43 AM

Hi,

The problem is that the IP has to be on same broadcast domain, so you may to make your mask on the outside bigger, it will not match with the one with your ISP but other than that you wont have any issues.

Mike

Mike
0 Helpful

Go to solution
mirehteshamali
Level 1
Level 1
In response to Maykol Rojas

‎03-06-2011 12:18 AM

Thanks  for reply

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card