Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
4
Replies

Pix Pair Without Serial Connection?

Go to solution
mmedwid
Level 3
Level 3

‎06-09-2006 03:00 PM - edited ‎07-04-2021 12:19 PM

Is it possible to have a stateful redundant pair of pixes without using the serial cable? Or is it the case that some aspects of failover can not live without the serial connection between the two members of the pair? Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎06-09-2006 09:27 PM

*******************

Security - Firewall

*******************

Hi,

Yes, it's possible. There is feature called LAN-Based failover that provide alternative solution to serial-based Firewall connectivity.

This is due to the length/distance limitation of serial cable.

With LAN-based failover, the PIXs distance is subjected to max LAN/Ethernet cable distance (IEEE 802.3), as long as it maintain < 100meter.

Apart fromn your stateful link, you need to allocate another dedicated port on each Firewall for this (replace serial cable), and connect them to a hub or switch (same VLAN group).

The only setback using LAN-Based is that failover process or failure detection will slightly slower than cable-based setup. Other than that, it looks very similar to serial-cable setup.

The following URLs provides a technical & sample config:

PIX6.3:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1024836

PIX7.x

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html

Rgds,

AK

View solution in original post

0 Helpful
4 Replies 4

Go to solution
a.kiprawih
Level 7
Level 7

‎06-09-2006 09:27 PM

*******************

Security - Firewall

*******************

Hi,

Yes, it's possible. There is feature called LAN-Based failover that provide alternative solution to serial-based Firewall connectivity.

This is due to the length/distance limitation of serial cable.

With LAN-based failover, the PIXs distance is subjected to max LAN/Ethernet cable distance (IEEE 802.3), as long as it maintain < 100meter.

Apart fromn your stateful link, you need to allocate another dedicated port on each Firewall for this (replace serial cable), and connect them to a hub or switch (same VLAN group).

The only setback using LAN-Based is that failover process or failure detection will slightly slower than cable-based setup. Other than that, it looks very similar to serial-cable setup.

The following URLs provides a technical & sample config:

PIX6.3:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1024836

PIX7.x

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html

Rgds,

AK

0 Helpful

Go to solution
mmedwid
Level 3
Level 3
In response to a.kiprawih

‎06-09-2006 09:48 PM

Great - thank-you. I took over a pre-existing network that appears to be configured for LAN based failover but they have the serial cables still attached. Trying to figure out what they were up to. I'll lab this out and try to move toward relying complete on the LAN failover.

0 Helpful

Go to solution
astra.wadsworth
Level 1
Level 1
In response to a.kiprawih

‎06-14-2006 12:14 PM

Hi AK,

Do you have any experience doing LAN based FO on Pix 535 with GE where the State and Failover links on the same interface (using a switch in between)? The docs say with Pix 535 with Gig, GE is required for the state link. It seems like it should be okay, but the fact that the docs specify Gig makes me nervous of how it would work in times of heavy load? If you (or anyone else) has any experience with this kind of situation then your feedback is greatly appreciated.

Thanks,

Don

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7
In response to astra.wadsworth

‎06-15-2006 12:47 AM

Hi Don,

I have tested both LAN-based and serial-based failover, but serial cable was selected due to insifficient GE ports, plus both Firewalls are installed in the same rack (stacked).

I prefer to use separate GE, eventhough you can use same GE for 2 fucntions.

The reason why GE is recommended is to enable traffic/sessions/info to be transferred to the standby unit without any/minimum delay. It is not wrong to use 10/100Mbps port, but the setback is it'll be slower, especially when failover occured during heavy traffic/load. That's why GE is recommended.

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card