cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
616
Views
0
Helpful
4
Replies

FWSM

NAVIN PARWAL
Level 2
Level 2

Folks,

I have multiple 6500's and the customer wants me to setup multiple levels of redundancy for FWSM. He wants Intra and Inter Chassis redundancy. So 2 FWSM per chassis per 6500.

My question is that for intra chassis i will use one vlan for stateful and one vlan for stateful information, for inter chassis I should use "DIFFERENT" set of vlans for state ful and stateful redundancy??? can anyone confirm this??

Also how can I make sure that there is no unoptimal routing between the switches and the best design possible, any tips or docs would he highly appreciated and i will surely rate this post.

Tarun

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Tarun

Not sure i fully understand. A single FWSM can only be in a failover pair with one other FWSM.

So if you have 2 FWSMs in the same chassis and these are a failover pair then you can't then pair either of these with the FWSMs in the other chassis ie. it's an either/or.

Either you have a failover pair in the same chassis or you have a failover pair between the chassis's but you can't have both with the same FWSMs.

Jon

View solution in original post

4 Replies 4

NAVIN PARWAL
Level 2
Level 2

Anyone willing to help.

Thanks

Jon Marshall
Hall of Fame
Hall of Fame

Tarun

Not sure i fully understand. A single FWSM can only be in a failover pair with one other FWSM.

So if you have 2 FWSMs in the same chassis and these are a failover pair then you can't then pair either of these with the FWSMs in the other chassis ie. it's an either/or.

Either you have a failover pair in the same chassis or you have a failover pair between the chassis's but you can't have both with the same FWSMs.

Jon

Jon,

Thanks for the response, it was very helpful. I have another question on failover, the doc says that once the firewall does not receive a hello response it goes through network interface activity test. My question is what is the network interfaces do down and the firewall is still responding on failover interface, will this triger a failover? also what is the importance of monitor-interface command?

Tarun

"My question is what is the network interfaces do down and the firewall is still responding on failover interface, will this triger a failover?"

It depends if you are monitoring the interface or not.

The failover link is used by the FWSM's to monitor each other's health. However if one of the other interfaces fails but the failover link is till okay how does the firewall know it has to failover.

That is what the monitor-interface command is for. When you enable this on an interface hello packets are exchanged between the same interface on each FWSM. If one of the interfaces goes down hellos are no longer received so the firewall can failover.

Note i say can because you can configure a percentage of interfaces that must fail before the FWSM fails over.

If you are not monitoring the interface and that interface goes down the FWSM will not necessarily failover.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: