cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
825
Views
5
Helpful
5
Replies

link failover

goutam_04
Level 1
Level 1

Hi,

I have a main office with 2 6509 and one branch office with 2 2851 router.

from branch office 2 links are coming to head office one is on Fibre link point to point another is on Microwave point to point.  These 2 links we have terminated to FWSM module on 6509 ( fibre on primary and microwave on secondary switch).  We have configured context on FWSM module.

But the problem is we are not able to make the failover.....route monitor is configured...  I am making the fibre link down...but still traffice is not shifting to microwave link.

anyone can help on this...how do I configure failover on FWSM.

2 Accepted Solutions

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Goutam,

I would use a VRF on the two C6500 and I would use a routing protocol in VRF.

On the VRF I would put also a Vlan that would connect the outside of a context on the FWSM.

In this way you can have all the dynamic routing capabilities of the MSFC you would keep the branch separated from central site with FWSM to make a controlled communication.

on the vlan used as outside the two MSFCs can offer a VIP HSRP used as IP next-hop for the IP subnets of the remote branch.

a default static route in VRF  pointing to FWSM ip address on the outside completes the solution.

The inside interface of the FWSM context can connect to the central site and it can be the next-hop for static routes in the global routing table.

We have used this solution successfully.

On the FWSM you can control with ACLs what can be accessed by branch IP subnets

Hope to help

Giuseppe

View solution in original post

Hello Marwan,

>> both links have to be in  the VRF vlan ?

yes, this is what I  was meaning

Branch1 -------------link1-----------  MSFC/VRF ---------------- FWSM(active)

Branch1 --------------link2------------MSFC/VRF ---------------- FWSM(active)

the FWSM sees the branch IP subnets via static routes that use IP next-hop = HSRP VIP on the VRF vlan

By the way, it is similar to what I have proposed for Sairam in the other thread with here the added redundancy of having two links, two C6500 and two FWSM.

FWSM in multi context doesn't support dynamic routing, so the use of the VRF allows to use routing capabilities of MSFC without the risk of bypassing the firewall FWSM.

Hope to help

Giuseppe

View solution in original post

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Goutam,

I would use a VRF on the two C6500 and I would use a routing protocol in VRF.

On the VRF I would put also a Vlan that would connect the outside of a context on the FWSM.

In this way you can have all the dynamic routing capabilities of the MSFC you would keep the branch separated from central site with FWSM to make a controlled communication.

on the vlan used as outside the two MSFCs can offer a VIP HSRP used as IP next-hop for the IP subnets of the remote branch.

a default static route in VRF  pointing to FWSM ip address on the outside completes the solution.

The inside interface of the FWSM context can connect to the central site and it can be the next-hop for static routes in the global routing table.

We have used this solution successfully.

On the FWSM you can control with ACLs what can be accessed by branch IP subnets

Hope to help

Giuseppe

hi Giuseppe

i found this solution interesting, but i cant understand how this will provide failover from the MSFC outside perspective i mean between the sites not between the MSFC and the FWSM ?

also the solution above uses a VRF to be connected to the fiber link and the global routing to be connected to the other link !!

or both links have to be in  the VRF vlan ?

thank you

Hello Marwan,

>> both links have to be in  the VRF vlan ?

yes, this is what I  was meaning

Branch1 -------------link1-----------  MSFC/VRF ---------------- FWSM(active)

Branch1 --------------link2------------MSFC/VRF ---------------- FWSM(active)

the FWSM sees the branch IP subnets via static routes that use IP next-hop = HSRP VIP on the VRF vlan

By the way, it is similar to what I have proposed for Sairam in the other thread with here the added redundancy of having two links, two C6500 and two FWSM.

FWSM in multi context doesn't support dynamic routing, so the use of the VRF allows to use routing capabilities of MSFC without the risk of bypassing the firewall FWSM.

Hope to help

Giuseppe

thank you Giuseppe

Hi,

Thanks...I have successfully implemented and running...

Thanks a lot..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco