Reg. Active-Active failover

Unanswered Question
Jul 20th, 2010
User Badges:

hi halijenn / experts

1) A firewall is configured in active-standby mode and i want to configure the same in active-active failover .Hence wanted to know if we can restore the configs present in the active -standby mode (which will get lost due to the change in the multiple context mode)  in the active-active without any effort (or least effort) . I know that when we switch to multiple context mode , original running configuration will be saved as old_running.cfg and also that all new network configuration needs to be done in individual context of the active-active ; however customer says that it is a pain and this will require lot of effort . If not whole config , is there a way to restore some amount of configuration from A/S to the A/A ?

2) In the multiple xontext mode is it possible that we have the Outside interface shared among two contexts (though the outside IP Addresses belonging to the 2 contexts will be obviously different) and those outside IP Addresses point to same default gateway ?? I know that we can have the interface shared among 2 contexts ; however will we able to point to the same gateway ?

For eg : An organiation have Admin and Finance context , hence both are assigned individual context however the way they access the internet is via same ISP .

3) Is it possible that both the inside and outside interfaces  be shared among 2 contexts , according to me the same is not possible , please let me know your views .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Tue, 07/20/2010 - 06:56
User Badges:
  • Cisco Employee,

1) I am not sure I understand what the question is.

When you move from single to multi mode you are changing the config, you are making context, so you need to configure the new virtual contexts. Since you have a backup of the config of the ex-single mode you can copy it to the nex context that you want.

If you are going from A/S to A/A while you are in multi-mode already, you are just changing what context is active and where so the config will not have any issues, they will still be in failover.

2) you can have each context point to the same gateway. That is not an issue. You might have classifier issues when you are sharing interfaces on the FWSM, but the gateway will not cause problems.

3)Sharing the inside interface is NOT recommended.supported if your internal hosts are browsing "unlimited" possible destinations. In general sharing interfaces is not recommended because it can cause classifier issues. You can make it work using identity statics, but you can't put unlimited statics for example when you are sharing the inside and you destinations are unlimited.

I hope it helps.



This Discussion