10-11-2007 06:42 AM - edited 03-11-2019 04:24 AM
Two firewalls, active <> active, one located in one data center at one
physical location, the other is located in another data center at another
physical location. This arrangement is for disaster recover purposes and to
save money (1 pair instead of 2 pairs of firewalls). There are two of the same
service provider connections at each location.
QUESTION:
Is there a Cisco technology that allows STATEFUL load-balancing between
these two separated firewalls WITHOUT the requirement of a layer 2 span
between their inside interfaces?
Put another way: is there such a thing as Layer 3 Failover for Cisco
Firewalls?
* The initial positioning would have these two firewall's respective
locations in these two different data centers and so would have them located on
different IP subnets.
** I am aware of load-balancing options for traffic prior to that traffic
reaching the inside interface of these two firewalls (CSS, GSLB, CSM, 3rd
party LB's) but a firewall failure using inside LB to move traffic back and
forth between the two I don't believe would be stateful (from the FW's perspective) and
that is a requirement in this case.
10-14-2007 01:38 PM
I've been thinking of doing something like this as well.
So far, the only thing I can think of is a L2TP tunnel between the two FWSM or using dot1q-tunneling between the two switches.
Unfortunately I cannot do this in my scenario because our data centers are seperated by SONET interfaces so it will lose the dot1q tags.
The other idea is perhaps creating an L2 MPLS network to pass the FWSM stateful/failover keepalive msgs between the two. Which is creating an L2VPN PSEUDOWIRE MPLS in between.
I think it may work.... I havent tested yet but let me know if you're going to try it.
10-29-2007 02:31 PM
After looking at all the options and contacting several regional Cisco Security resources the answers seems to be, no-can-do. The interface sharing relies on L2 (same subnet) connectivity ala HSRP. It makes sense to me in so far as L3 state can not be maintained if the traffic is coming in to two different L3 (subnets) interfaces - the two ASA failover interfaces have to have the same L3 picture (same subnet) of the packets. So...alas, no breakthroughs on this one.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: