FWSM

Answered Question
Jul 1st, 2009
User Badges:

Folks,

I have multiple 6500's and the customer wants me to setup multiple levels of redundancy for FWSM. He wants Intra and Inter Chassis redundancy. So 2 FWSM per chassis per 6500.


My question is that for intra chassis i will use one vlan for stateful and one vlan for stateful information, for inter chassis I should use "DIFFERENT" set of vlans for state ful and stateful redundancy??? can anyone confirm this??


Also how can I make sure that there is no unoptimal routing between the switches and the best design possible, any tips or docs would he highly appreciated and i will surely rate this post.


Tarun

Correct Answer by Jon Marshall about 8 years 4 weeks ago

Tarun


Not sure i fully understand. A single FWSM can only be in a failover pair with one other FWSM.


So if you have 2 FWSMs in the same chassis and these are a failover pair then you can't then pair either of these with the FWSMs in the other chassis ie. it's an either/or.


Either you have a failover pair in the same chassis or you have a failover pair between the chassis's but you can't have both with the same FWSMs.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 07/01/2009 - 09:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tarun


Not sure i fully understand. A single FWSM can only be in a failover pair with one other FWSM.


So if you have 2 FWSMs in the same chassis and these are a failover pair then you can't then pair either of these with the FWSMs in the other chassis ie. it's an either/or.


Either you have a failover pair in the same chassis or you have a failover pair between the chassis's but you can't have both with the same FWSMs.


Jon

NAVIN PARWAL Thu, 07/16/2009 - 17:47
User Badges:

Jon,

Thanks for the response, it was very helpful. I have another question on failover, the doc says that once the firewall does not receive a hello response it goes through network interface activity test. My question is what is the network interfaces do down and the firewall is still responding on failover interface, will this triger a failover? also what is the importance of monitor-interface command?

Jon Marshall Fri, 07/17/2009 - 01:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tarun


"My question is what is the network interfaces do down and the firewall is still responding on failover interface, will this triger a failover?"


It depends if you are monitoring the interface or not.


The failover link is used by the FWSM's to monitor each other's health. However if one of the other interfaces fails but the failover link is till okay how does the firewall know it has to failover.


That is what the monitor-interface command is for. When you enable this on an interface hello packets are exchanged between the same interface on each FWSM. If one of the interfaces goes down hellos are no longer received so the firewall can failover.


Note i say can because you can configure a percentage of interfaces that must fail before the FWSM fails over.


If you are not monitoring the interface and that interface goes down the FWSM will not necessarily failover.


Jon

Actions

This Discussion