cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1159
Views
0
Helpful
2
Replies

Layer 3 Failover Active <> Active

mprescher
Level 1
Level 1

Two firewalls, active <> active, one located in one data center at one

physical location, the other is located in another data center at another

physical location. This arrangement is for disaster recover purposes and to

save money (1 pair instead of 2 pairs of firewalls). There are two of the same

service provider connections at each location.

QUESTION:

Is there a Cisco technology that allows STATEFUL load-balancing between

these two separated firewalls WITHOUT the requirement of a layer 2 span

between their inside interfaces?

Put another way: is there such a thing as Layer 3 Failover for Cisco

Firewalls?

* The initial positioning would have these two firewall's respective

locations in these two different data centers and so would have them located on

different IP subnets.

** I am aware of load-balancing options for traffic prior to that traffic

reaching the inside interface of these two firewalls (CSS, GSLB, CSM, 3rd

party LB's) but a firewall failure using inside LB to move traffic back and

forth between the two I don't believe would be stateful (from the FW's perspective) and

that is a requirement in this case.

2 Replies 2

autobot130
Level 1
Level 1

I've been thinking of doing something like this as well.

So far, the only thing I can think of is a L2TP tunnel between the two FWSM or using dot1q-tunneling between the two switches.

Unfortunately I cannot do this in my scenario because our data centers are seperated by SONET interfaces so it will lose the dot1q tags.

The other idea is perhaps creating an L2 MPLS network to pass the FWSM stateful/failover keepalive msgs between the two. Which is creating an L2VPN PSEUDOWIRE MPLS in between.

I think it may work.... I havent tested yet but let me know if you're going to try it.

After looking at all the options and contacting several regional Cisco Security resources the answers seems to be, no-can-do. The interface sharing relies on L2 (same subnet) connectivity ala HSRP. It makes sense to me in so far as L3 state can not be maintained if the traffic is coming in to two different L3 (subnets) interfaces - the two ASA failover interfaces have to have the same L3 picture (same subnet) of the packets. So...alas, no breakthroughs on this one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: