Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
5
Helpful
3
Replies

PIX Failover while using 802.1q trunking

mnlatif
Level 3
Level 3

‎03-24-2004 03:17 PM - edited ‎02-20-2020 11:18 PM

Hi,

We have Failover configured (using serial cable) between two PIX 515E. PIX is also configured with a trunk port on one of the DMZ interfaces. With the following relevant config

+++++++++++++++++++++++

interface ethernet3 100full

interface ethernet3 vlan7 logical

interface ethernet3 vlan19 logical

nameif ethernet3 vl-7_19-trunk

nameif vlan7 ftp

nameif vlan19 vpn

no ip address vl-7_19-trunk

ip address ftp x.x.x.x z.z.z.z

ip address vpn y.y.y.y z.z.z.z

+++++++++++++++++++++++

Ofcourse the Physical Trunk Link is not configured with any IP address. However this seems to be causing this message repeatedly showing up on the terminal

=====================================

WARNING, missing ip or failover address on vl-7_19-trunk interface

=====================================

How can we prevent this from appearing ?

Will it help to configure with 127.0.0.1 & 127.0.0.2 (failover) ? Will it cause any problems with trunking ?

Also the "show failover" shows these interfaces as "waiting" instead of "normal".

----------------------------------------

Interface vl-7_19-trunk (0.0.0.0): Normal (Waiting)

Interface ftp (x.x.x.x): Normal (Waiting)

Interface vpn (y.y.y.y): Normal (Waiting)

-----------------------------------------

Does that mean that PIX won't failover, if this trunk interface fails, as it doesn't know about its state ?

Regards // Naman

0 Helpful
3 Replies 3

scoclayton
Level 7
Level 7

‎03-25-2004 06:18 AM

Naman,

In a failover scenerio, all interfaces that are up need to have an address configured on them. This address needs to be L2 adjacent to the like interface on the backup PIX. I understand your confusion in this case as you have config'ed e3 as a trunk port. One suggestion I would make is to remove one of the logical interfaces and just assign the vlan to the e3 physical interface. Logical interfaces are not required to support 802.1q trunks. In other words, you could do this:

interface ethernet3 100full

interface ethernet3 vlan7 physical

interface ethernet3 vlan19 logical

nameif ethernet3 ftp

nameif vlan19 vpn

ip address ftp x.x.x.x z.z.z.z

ip address vpn y.y.y.y z.z.z.z

** Note that I changed the interface on vlan 7 from logical to physical. This ties vlan7 to the physical interface rather than creating a new logical interface for this traffic.

You would need to change your failover config as well but this resolve the issue. The interface is in a waiting state because it has not seen any hello packets from it's mate PIX. The reason for this is because there is no IP address assigned to the interface, currently anyway.

Hope this helps.

Scott

mnlatif
Level 3
Level 3
In response to scoclayton

‎03-25-2004 08:15 AM

Hi Scott,

Thanks for the reply.

Does that mean that the "native interface" for the switch trunk port should be 7 ?

Regards,

Naman

0 Helpful

scoclayton
Level 7
Level 7
In response to mnlatif

‎03-25-2004 09:49 AM

Nope. By assigning a VLAN to the physical interface, all you are doing is assuring that any frames forwarded from that interface will be tagged with the configured VLAN ID rather than the native VLAN ID (which by default is VLAN 1). Not sure if you have seen this information but if not, it might be worth a read:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113411

Hope this helps.

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card