hi

thanx for reply.

Please find the attached document.F0/1 and F0/2 must be a group and they should go down simultaneouly as well as the second group (f0/10 and f0/20) should come up.

from diagram u can understand the purpose.

The Traffic towards primary FW should be diverted to secondary without any issues.

Tried :

1.Ether channel - won't work as both interfaces are of different criteria(trust and untrust)

2.flex links - this can be used to bring up these ports idvidulay but the grouping can not be done.

3. Policy based routing. - same issue here this can be used to bring up a route but the second interface won't come up.

Clarification required : Can we group these interfaces in any way and make them down if one of them them gone down ? by object traking or in any other way.

Ready to do the things in L2 and L3.

pls guide.

attachment : -

no reply for a long ?

Hi there,

I've had a good look and I need to know what firewalls you are using.

Looking at your reason for not using an ether-channel you say that the interfaces are in a different trusts.

Are these links from the 6500/7600 layer 3 links. Also are there 2 different boxes - the 6500 and the 7600 ?

LH

Please rate all posts

No there is a single box(6509).in case of difficulty with this box we can replace witha 7609.Interfaces are working in layer three.We are ready to use them in layer two also.

firewalls used are netscreen.

Hi there,

I had a think about this and I think your best bet would be policy routing.

Have a match "AND" statement for the two interfaces that connect to the primary firewall - similar to conditional route advertisement. If both of the interfaces are up, then the policy will be met and you set the next hop to the primary firewall.

If the condition is not met and one of your interfaces to the primary firewall is down, then the traffic will pass to the routing table. In the routing table have a route (possible a default gateway?) pointing to the secondary firewall.

Enjoy!

LH

CCIE#15331

Please rate all posts

oops ... seems working tried pbr .. but it was unsuccessful.Let me try once again and come back to u with details.

Thanx

Hi once again ... it is not working match interface usage is not as we thought.SO look in to this and any help pls?

Note: I tried it in a lab set up but not working

Explanation - match interface

match interface word Route Map

This command match to incoming interface. Notation of this match is different from Cisco. Cisco uses a list of interfaces - NAME1 NAME2 ... NAMEN. Ripd allows only one name (maybe will change in the future). Next - Cisco means interface which includes next-hop of routes (it is somewhat similar to "ip next-hop" statement). Ripd means interface where this route will be sent. This difference is because "next-hop" of same routes which sends to different interfaces must be different. Maybe it'd be better to made new matches - say "match interface-out NAME" or something like that.

any help ?

hi

as Leigh mentionned in his post the use of match-all in the route-map with two statements for both interfaces is okay but instead of using a default route pointing to the secondary firewall, use another route-map statement pointing to the secondary but with a less priority like this

route-map match-all backup permit 10

statement-primary-interface1

statement-primary-interface2

route-map match-all backup permit 20

statement-secondary-interface1

statement-secondary-interface2

here entry with 10 will be processed before the one with 20, if both conditions of 10 are

not meet the 20 will be processed next.

HTH

please do rate if it does help

HI ☺

did you try it, it must work fine ♫

hi kamal,

regret for the delay in reply.

As I have mentioned in my earlier mail, set interface doesn't mean to check the interface status.It's checking the incoming interface of the packet.

but the details are not given in cisco sites(in my knowledge).I found it in some other website.Please do confirm and reply.

Rajeev.S

Rajeev welcome back

not quit sure for what you ve said about the set interface .

i did a lookup for the match interface and for the set interface i ve found what follow:

match interface type number = reditribute any routes that have the next hop {OUT} of one of the interfaces specified.

SET interface type number = indicate where to send output packets that pass a match clause of a route map for policy routing

so in your case use a route map with two blocs each with a priority

route-map TEST permit 10

match interface F0/1

match interface F0/2

(here both conditions must meet which means both interfaces must be UP, and that bloc with priority 10 will be processed first if there is a match the next bloc with priority 20 will not be processed it will be jumped)

route-map TEST permit 20

set interface F0/10 F0/20

(this bloc will be processed if F0/1 or F0/2 is down ,again here you are an OR condition not an AND so that the traffic can goes out even if one of the secondary interfaces is down)

(ip policy route-map TEST) must be applied on the interface of your incoming traffic may be more than one interface!!!

PBR is applied only on inboubd direction!!

so give it a try and lets us know

HTH

please do rate if it does help