03-02-2010 12:31 PM - edited 03-11-2019 10:16 AM
Hi
I was reading this documentation
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
for doing active/active failover using pix 8.0. But I have the impresion that the concept of stanby used on pix firewall is not the same as this used on cisco router.
i think that the command
ip address active_addr netmask standby standby_addr
does not means that standby_addr will be use as the gateway for a network but the ip address of the stanby unit.
If i do this on the failover interface I dont see the point of doing if for every interface or subinterface the contexts have?
Can someone explained that clearly?
thanks
03-02-2010 12:42 PM
Hi
Other fact if the context in active failover-group provides the configuration for the corresponding context in standby failover-group I do not see the reason of creating stanby ip address for each interface exept for those used as failover interfaces.
please correcxt me if i am wrong!!
thanks
03-02-2010 12:44 PM
roussillon wrote:
Hi
I was reading this documentation
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
for doing active/active failover using pix 8.0. But I have the impresion that the concept of stanby used on pix firewall is not the same as this used on cisco router.
i think that the command
ip address active_addr netmask standby standby_addr
does not means that standby_addr will be use as the gateway for a network but the ip address of the stanby unit.
If i do this on the failover interface I dont see the point of doing if for every interface or subinterface the contexts have?
Can someone explained that clearly?
thanks
You are correct in that the standby address is never used as the gateway for the clients. It is used for 2 reasons -
1) so you can connect to the standby firewall
2) so the firewalls can monitor each others state on those interfaces
You don't need to configure every interface with a standby address if you don't want to and sometimes you don't if you are using public IP addressing on the interfaces. If you are using private addressing i can't see any reason why you wouldn't use a standby address to be honest.
Jon
03-02-2010 01:53 PM
Thanks
I have read again the cisco documentation
and standby ip for each interface or subinterface(in case of vlans) is used for failover in context level
cited by cisco documentation
Failover is triggered at the failover group level when one of these events occurs:
Too many monitored interfaces in the group fail.
The no failover active group group_id or failover active group group_id command is entered.
Of cause we have to monitor those interfaces.
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: