03-24-2004 03:17 PM - edited 02-20-2020 11:18 PM
Hi,
We have Failover configured (using serial cable) between two PIX 515E. PIX is also configured with a trunk port on one of the DMZ interfaces. With the following relevant config
+++++++++++++++++++++++
interface ethernet3 100full
interface ethernet3 vlan7 logical
interface ethernet3 vlan19 logical
nameif ethernet3 vl-7_19-trunk
nameif vlan7 ftp
nameif vlan19 vpn
no ip address vl-7_19-trunk
ip address ftp x.x.x.x z.z.z.z
ip address vpn y.y.y.y z.z.z.z
+++++++++++++++++++++++
Ofcourse the Physical Trunk Link is not configured with any IP address. However this seems to be causing this message repeatedly showing up on the terminal
=====================================
WARNING, missing ip or failover address on vl-7_19-trunk interface
=====================================
How can we prevent this from appearing ?
Will it help to configure with 127.0.0.1 & 127.0.0.2 (failover) ? Will it cause any problems with trunking ?
Also the "show failover" shows these interfaces as "waiting" instead of "normal".
----------------------------------------
Interface vl-7_19-trunk (0.0.0.0): Normal (Waiting)
Interface ftp (x.x.x.x): Normal (Waiting)
Interface vpn (y.y.y.y): Normal (Waiting)
-----------------------------------------
Does that mean that PIX won't failover, if this trunk interface fails, as it doesn't know about its state ?
Regards // Naman
03-25-2004 06:18 AM
Naman,
In a failover scenerio, all interfaces that are up need to have an address configured on them. This address needs to be L2 adjacent to the like interface on the backup PIX. I understand your confusion in this case as you have config'ed e3 as a trunk port. One suggestion I would make is to remove one of the logical interfaces and just assign the vlan to the e3 physical interface. Logical interfaces are not required to support 802.1q trunks. In other words, you could do this:
interface ethernet3 100full
interface ethernet3 vlan7 physical
interface ethernet3 vlan19 logical
nameif ethernet3 ftp
nameif vlan19 vpn
ip address ftp x.x.x.x z.z.z.z
ip address vpn y.y.y.y z.z.z.z
** Note that I changed the interface on vlan 7 from logical to physical. This ties vlan7 to the physical interface rather than creating a new logical interface for this traffic.
You would need to change your failover config as well but this resolve the issue. The interface is in a waiting state because it has not seen any hello packets from it's mate PIX. The reason for this is because there is no IP address assigned to the interface, currently anyway.
Hope this helps.
Scott
03-25-2004 08:15 AM
Hi Scott,
Thanks for the reply.
Does that mean that the "native interface" for the switch trunk port should be 7 ?
Regards,
Naman
03-25-2004 09:49 AM
Nope. By assigning a VLAN to the physical interface, all you are doing is assuring that any frames forwarded from that interface will be tagged with the configured VLAN ID rather than the native VLAN ID (which by default is VLAN 1). Not sure if you have seen this information but if not, it might be worth a read:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113411
Hope this helps.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide