Cisco IOS Firewall Cluster

Answered Question
Apr 24th, 2010

Hello,

I am new to firewalling with Cisco devices and need a point in the right direction to create a failover cluster between two C2851 (12.24T) configured as a IOS Firewall. Any information, how to's or links would be appreciated.

Thanks

Michael

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 7 months ago

Hi,

Not sure if this is what you're looking for, but you can configure Layer 3 redundancy with either HSRP, VRRP or GLBP to have two IOS routers work in conjunction. You can have one active and one standby or doing load-balancing depending on the protocol chosen and the configuration.

So, having two routers with L3 redundancy, allows the internal network (or VLANs) to use both routers to get out to the Internet.

If having IOS Firewall configured, then the routers work together to provide a fall-back mechanism in case of one router failing.

If one of the two router fails, you can have the other router assume the active role and pass all the traffic (most of the times without any interrumption of service for the end users).

There are optional features like tracking interfaces, preemption and adjusting timers to improve convergence.

Is this what you're looking for?

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Sat, 04/24/2010 - 22:52

Hi,

Not sure if this is what you're looking for, but you can configure Layer 3 redundancy with either HSRP, VRRP or GLBP to have two IOS routers work in conjunction. You can have one active and one standby or doing load-balancing depending on the protocol chosen and the configuration.

So, having two routers with L3 redundancy, allows the internal network (or VLANs) to use both routers to get out to the Internet.

If having IOS Firewall configured, then the routers work together to provide a fall-back mechanism in case of one router failing.

If one of the two router fails, you can have the other router assume the active role and pass all the traffic (most of the times without any interrumption of service for the end users).

There are optional features like tracking interfaces, preemption and adjusting timers to improve convergence.

Is this what you're looking for?

Federico.

Actions

This Discussion