01-04-2010 09:23 AM - edited 03-04-2019 07:06 AM
Hi,
I have a main office with 2 6509 and one branch office with 2 2851 router.
from branch office 2 links are coming to head office one is on Fibre link point to point another is on Microwave point to point. These 2 links we have terminated to FWSM module on 6509 ( fibre on primary and microwave on secondary switch). We have configured context on FWSM module.
But the problem is we are not able to make the failover.....route monitor is configured... I am making the fibre link down...but still traffice is not shifting to microwave link.
anyone can help on this...how do I configure failover on FWSM.
Solved! Go to Solution.
01-04-2010 11:20 AM
Hello Goutam,
I would use a VRF on the two C6500 and I would use a routing protocol in VRF.
On the VRF I would put also a Vlan that would connect the outside of a context on the FWSM.
In this way you can have all the dynamic routing capabilities of the MSFC you would keep the branch separated from central site with FWSM to make a controlled communication.
on the vlan used as outside the two MSFCs can offer a VIP HSRP used as IP next-hop for the IP subnets of the remote branch.
a default static route in VRF pointing to FWSM ip address on the outside completes the solution.
The inside interface of the FWSM context can connect to the central site and it can be the next-hop for static routes in the global routing table.
We have used this solution successfully.
On the FWSM you can control with ACLs what can be accessed by branch IP subnets
Hope to help
Giuseppe
01-05-2010 01:58 AM
Hello Marwan,
>> both links have to be in the VRF vlan ?
yes, this is what I was meaning
Branch1 -------------link1----------- MSFC/VRF ---------------- FWSM(active)
Branch1 --------------link2------------MSFC/VRF ---------------- FWSM(active)
the FWSM sees the branch IP subnets via static routes that use IP next-hop = HSRP VIP on the VRF vlan
By the way, it is similar to what I have proposed for Sairam in the other thread with here the added redundancy of having two links, two C6500 and two FWSM.
FWSM in multi context doesn't support dynamic routing, so the use of the VRF allows to use routing capabilities of MSFC without the risk of bypassing the firewall FWSM.
Hope to help
Giuseppe
01-04-2010 11:20 AM
Hello Goutam,
I would use a VRF on the two C6500 and I would use a routing protocol in VRF.
On the VRF I would put also a Vlan that would connect the outside of a context on the FWSM.
In this way you can have all the dynamic routing capabilities of the MSFC you would keep the branch separated from central site with FWSM to make a controlled communication.
on the vlan used as outside the two MSFCs can offer a VIP HSRP used as IP next-hop for the IP subnets of the remote branch.
a default static route in VRF pointing to FWSM ip address on the outside completes the solution.
The inside interface of the FWSM context can connect to the central site and it can be the next-hop for static routes in the global routing table.
We have used this solution successfully.
On the FWSM you can control with ACLs what can be accessed by branch IP subnets
Hope to help
Giuseppe
01-04-2010 06:19 PM
hi Giuseppe
i found this solution interesting, but i cant understand how this will provide failover from the MSFC outside perspective i mean between the sites not between the MSFC and the FWSM ?
also the solution above uses a VRF to be connected to the fiber link and the global routing to be connected to the other link !!
or both links have to be in the VRF vlan ?
thank you
01-05-2010 01:58 AM
Hello Marwan,
>> both links have to be in the VRF vlan ?
yes, this is what I was meaning
Branch1 -------------link1----------- MSFC/VRF ---------------- FWSM(active)
Branch1 --------------link2------------MSFC/VRF ---------------- FWSM(active)
the FWSM sees the branch IP subnets via static routes that use IP next-hop = HSRP VIP on the VRF vlan
By the way, it is similar to what I have proposed for Sairam in the other thread with here the added redundancy of having two links, two C6500 and two FWSM.
FWSM in multi context doesn't support dynamic routing, so the use of the VRF allows to use routing capabilities of MSFC without the risk of bypassing the firewall FWSM.
Hope to help
Giuseppe
01-05-2010 03:51 AM
thank you Giuseppe
01-07-2010 12:50 AM
Hi,
Thanks...I have successfully implemented and running...
Thanks a lot..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide