Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
3
Replies

Do I really need a stand by IP address on all my interfaces

Go to solution
cgicalgary
Level 1
Level 1

‎12-10-2008 09:45 AM - edited ‎03-11-2019 07:24 AM

Do I have to have a standy by IP address bound to every interface. Right now some of my interfaces have stand by IP address assigned to them and some don't. It does not appear to make a diffrence on how the firewall performs. I understand you need a standby IP address if you plan to monitor both firewall nodes. But that would only be required on the managment interface. I have read the configuration guide and it states the stand by IP address must be in the same subnet. But it does not say if it is optional or not, Yet the ASDM allows you to configure the firewall in failover mode without a stand by IP address. I figure the ASDM would be enforcing the standby IP address requirement if it was a must. So what is the advantages/disadvantages

My best guess is:

The standby IP address is used to monitor the health of the interface. It is used for the PING test during the health check proccess.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ddawson
Level 1
Level 1

‎12-10-2008 09:55 AM

Yes, you should have a standby address on every interface that's in use. As you've guessed, this address *is* used to monitor the health of the interface, so if you don't have it on some interfaces you don't really have full failover functionality.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ddawson
Level 1
Level 1

‎12-10-2008 09:55 AM

Yes, you should have a standby address on every interface that's in use. As you've guessed, this address *is* used to monitor the health of the interface, so if you don't have it on some interfaces you don't really have full failover functionality.

0 Helpful

Go to solution
cgicalgary
Level 1
Level 1
In response to ddawson

‎12-10-2008 12:45 PM

That is what I thought, It just that I am under pressure to recover some IP address in a subnet so we can add more servers. Now I have a definite answer that I can give to the no more room response I am going to have to give

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-10-2008 10:02 AM

Below is the link to an excellent explanation by one of the netpros, I hope it helps.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1edc8/2#selected_message

Regards,

Arul

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card