I have a main office with 2 6509 and one branch office with 2 2851 router.
from branch office 2 links are coming to head office one is on Fibre link point to point another is on Microwave point to point. These 2 links we have terminated to FWSM module on 6509 ( fibre on primary and microwave on secondary switch). We have configured context on FWSM module.
But the problem is we are not able to make the failover.....route monitor is configured... I am making the fibre link down...but still traffice is not shifting to microwave link.
anyone can help on this...how do I configure failover on FWSM.
>> both links have to be in the VRF vlan ?
yes, this is what I was meaning
Branch1 -------------link1----------- MSFC/VRF ---------------- FWSM(active)
Branch1 --------------link2------------MSFC/VRF ---------------- FWSM(active)
the FWSM sees the branch IP subnets via static routes that use IP next-hop = HSRP VIP on the VRF vlan
By the way, it is similar to what I have proposed for Sairam in the other thread with here the added redundancy of having two links, two C6500 and two FWSM.
FWSM in multi context doesn't support dynamic routing, so the use of the VRF allows to use routing capabilities of MSFC without the risk of bypassing the firewall FWSM.
Hope to help
I would use a VRF on the two C6500 and I would use a routing protocol in VRF.
On the VRF I would put also a Vlan that would connect the outside of a context on the FWSM.
In this way you can have all the dynamic routing capabilities of the MSFC you would keep the branch separated from central site with FWSM to make a controlled communication.
on the vlan used as outside the two MSFCs can offer a VIP HSRP used as IP next-hop for the IP subnets of the remote branch.
a default static route in VRF pointing to FWSM ip address on the outside completes the solution.
The inside interface of the FWSM context can connect to the central site and it can be the next-hop for static routes in the global routing table.
We have used this solution successfully.
On the FWSM you can control with ACLs what can be accessed by branch IP subnets
Hope to help