cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
503
Views
0
Helpful
6
Replies

firewall failove

mirehteshamali
Level 1
Level 1

    hi all,

i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .

example

interface Ethernet0/0
nameif outside
security-level 0
ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2
!
interface Ethernet1/0
nameif inside
security-level 100
ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11

question :

default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .

in this case the secondary ip add 10.0.0.11 is actually nerver used  ?

similarly do i need to have two public ip address for outside (one for primary and one for secondary )   ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.

is my logic correct ?

thanks

1 Accepted Solution

Accepted Solutions

Hi,

The problem is that the IP has to be on same broadcast domain, so you may to make your mask on the outside bigger, it will not match with the one with your ISP but other than that you wont have any issues.

Mike

Mike

View solution in original post

6 Replies 6

Maykol Rojas
Cisco Employee
Cisco Employee

Hello and Thanks for posting.

In a matter of speaking yes, the secondary IP's are never used. But they are used at the same time. You see, the only way that the firewall can know that an interface is down is doing the hello packets. This packets are sent to the standby IP and from the standby to the primary. In the moment that one of the IPĀ“s stop responding, the failover will occurr, that is mostlikely the use of the secondary IP.

If you like, you wouldnt need to have sencondary IP's, you can use just the no monitor interface command and that way you wouldnt need to use them. However, it is not a best practice because you wont be able to determine if there is an interface problem.

I hope this is helpful, Any questions let me know.

Mike Rojas

Mike

thanks for prompt reply

can i say no monitor outside

OR

use any dummy ip for secondary (may be this ip is allocated to another costomer by the isp but i dont care as i m using it internally  but as for as "global presence / reach is concerned i have one ip for me " ) and still continue with one ip for outside as secondary is never used for connectivity or rechability .

thanks

Hi,

If you dont have an available IP, first option would be better, never thought of the second one, but I guess you can do something like that

Cheers

Mike

Mike

Any one can confirm that to me ,

Hi,

The problem is that the IP has to be on same broadcast domain, so you may to make your mask on the outside bigger, it will not match with the one with your ISP but other than that you wont have any issues.

Mike

Mike

Thanks  for reply

Review Cisco Networking for a $25 gift card