ā03-04-2011 10:43 PM - edited ā03-11-2019 01:01 PM
hi all,
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .
example
interface Ethernet0/0
nameif outside
security-level 0
ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2
!
interface Ethernet1/0
nameif inside
security-level 100
ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11
question :
default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .
in this case the secondary ip add 10.0.0.11 is actually nerver used ?
similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
is my logic correct ?
thanks
Solved! Go to Solution.
ā03-05-2011 09:43 AM
Hi,
The problem is that the IP has to be on same broadcast domain, so you may to make your mask on the outside bigger, it will not match with the one with your ISP but other than that you wont have any issues.
Mike
ā03-04-2011 10:48 PM
Hello and Thanks for posting.
In a matter of speaking yes, the secondary IP's are never used. But they are used at the same time. You see, the only way that the firewall can know that an interface is down is doing the hello packets. This packets are sent to the standby IP and from the standby to the primary. In the moment that one of the IPĀ“s stop responding, the failover will occurr, that is mostlikely the use of the secondary IP.
If you like, you wouldnt need to have sencondary IP's, you can use just the no monitor interface command and that way you wouldnt need to use them. However, it is not a best practice because you wont be able to determine if there is an interface problem.
I hope this is helpful, Any questions let me know.
Mike Rojas
ā03-04-2011 10:58 PM
thanks for prompt reply
can i say no monitor outside
OR
use any dummy ip for secondary (may be this ip is allocated to another costomer by the isp but i dont care as i m using it internally but as for as "global presence / reach is concerned i have one ip for me " ) and still continue with one ip for outside as secondary is never used for connectivity or rechability .
thanks
ā03-04-2011 11:00 PM
Hi,
If you dont have an available IP, first option would be better, never thought of the second one, but I guess you can do something like that
Cheers
Mike
ā03-05-2011 01:35 AM
Any one can confirm that to me ,
ā03-05-2011 09:43 AM
Hi,
The problem is that the IP has to be on same broadcast domain, so you may to make your mask on the outside bigger, it will not match with the one with your ISP but other than that you wont have any issues.
Mike
ā03-06-2011 12:18 AM
Thanks for reply
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide