To Use Failover or Not to Use Failover (FWSM)

srowles · ‎01-16-2005

That is the question !!

Hi, I´m looking for a bit of advice regarding using the FWSM in 2 Cat 6500´s which are sitting at the core of a Collapsed backbone design with redundant uplinks to wiring closet switch stacks.

I am wondering about whether the FWSM´s in the 6500s sould be configured with a failover configuration or if they should be configured as standalone firewalls with identical configurations.

I am thinking that if you only have one active FWSM and you are firewalling between your VLANS (of which w have 20ish), some traffic may have to pass through the 6500 with the FWSM (module in standby) go across the trunk link between the 6500s, throught the active FWSM and then back across the trunk again before it reaches it´s ultimate destination.

I am trying to design in a reasonalbe degree of loadsharing using Rapid PVST+ and the acive/standby FWSM scenario here would seem to negate the load sharing aspec some what.

Any comments would be appreciated.

davecs · ‎01-16-2005

I would go failover:

1) because you get redundancy

2) because when Cisco release active/active then you problem will be solved

3) you wont be able to have non failover active/active because you will get IP conflicts.

srowles · ‎01-18-2005

Thanks for your help. I am pretty sure we will be using the failover functionality. Still need to understand the layer 2 load balancing issue as some traffic may hit my 6500 with the FWSM first, then across a trunk to the active FWSM thn back across the trunk to the final destination (I think).

davecs · ‎01-18-2005

yeah that will probably be the case - just have a big enough trunk :)