07-25-2007 09:02 AM - edited 03-11-2019 03:49 AM
Can i use the same name/IP address for LAN and statefull link ?
Below is the config, PIX accepts this config, just wanted to confirm if it'll wrk fine this way.
failover lan interface LAN-AND-STATE Ethernet2
failover link LAN-AND-STATE Ethernet2
failover interface ip LAN-AND-STATE 10.10.10.1 255.255.255.252 standby 10.10.10.2
Also, if I use the same physical interface and assign 2 different set of names and different set of IP's , is this fine ..
e.g.
failover lan interface LAN Ethernet2
failover link STATE Ethernet2
failover interface ip LAN 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover interface ip STATE 10.2.2.1 255.255.255.252 standby 10.2.2.2
any comments guys ?
07-25-2007 09:25 AM
What version of software are you running?
You can do it in PIX V6 but recommendation is against. In V7 is not supportecd at all, from the Reldease notes :-
If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(2) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(2) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html
** Please rate post if helpfull **
07-25-2007 09:35 PM
I'm using 7.2(2)
Just to clarify yor reply, I'm not sharing the STATEFUL interface with any regular traffic interface, rather i'm sharing it with the LAN Failover interface and PIX is accepting my commands.
So is this acceptable ?
07-26-2007 10:30 AM
Sorry, my misunderstanding by LAN I thought you meant inside LAN.
Yes you can use the same interface for the satefull and failover link. Cisco have an example of this here :-
If possible, I would recommend using cable based failover, if this is not possible due to phyical limits, remember the failover link must go through a switch or hub, it cannot be a crossover cable.
** Please rate posts if helpfull **
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: