I have Cisco 7609 Switch with one FWSM installed and working perfectly. To built redundancy I am trying to connect another 7609 Switch with FWSM Module. I am using Gigethernet Port 1/45 & 1/46 for LAN Failover and I have configured to monitor the Interfaces also. It is perfectly working in Active / Standby Mode.When I made the Active FWSM to down using command reload or Physically removing the Active FWSM, another becomes active and thus my requirement is met.
But, I want this Failover to happen even at the time of links connected to the switch goes down. For example, I have a server connected to both the active and standby FWSM. When the cable between the server and switch port of the switch where Active FWSM is installed, Failover is not happening. I realised that failover is triggered only when the interface goes down. In this case VLAN is not coming down.
How to achieve the solution. Please help
I attached a netwrok sketch for your better undetstanding
This is not the way it should work.
If the server connection to the active FWSM switch fails then the server should use it's other link. The server would send the traffic to the other switch. But this switch should then just send the traffic across the L2 trunk between the 2 switches to FWSM-1. So you don't need FWSM-1 to failover if the server connection to FWSM-1 switch is lost because FWSM-1 will be still be used for the server, the traffic will just go via switch 2.
Note i'm assuming that vlan 110 is on the FWSM ie. the default-gateway of the server is on the FWSM.
Also you need to make sure that there is a L2 trunk between the switches that allows vlan 110.
Does this make sense ?
Thanks for your input. I am aggreeing your explanation.
So what i have to do is to connect configure trunk between the 7609 Switch for example from Gig 0/47 of First 7609 and second 7609. Is this correct?
I will put it more clear in this diagram attached.
If link 1 goes down as per you statement the traffic will go to second 7609 switch via link 3 & Link 7? Correct me if i am wrong.
The same case applicable to POS 3/0/0. If this link goes down, How the redundancy is built?
Can you please help me.
I guess that what you need is to use interface monitoring in order to be able to failover:
FWSM#(config)#failover interface-policy [%]
Failover Interface policy will monitor the Interface and do the action based on Up/Down status.
But in this case VLAN Interface in FWSM is not going down and stays active. For example if pos 3/0/0 goes down, Firewall Interface corresponding to Router interface (example VLAN 13) is not going down.
Then what is the use of applying monitor interface statement in the FWSM. I feel it is applicable for Hardware Appliance like PIX or ASA.
I am correct?
Here's is what I think:
interface monitoring initiates hello messages exchange on the monitored interface. If we no longer receive hello messages on monitored interfaces a network test begins which includes:
-link up/down (on vlan interface) - the vlan will be considered down if all physical interfaces are down for it.
-network activity test
In your case monitoring the inside interface will not help you as you have more than one physical interface on VLAN 110 and they all need to fail to bring vlan 110 down and consequently make the failover happen (if "failover interface-policy" is set to 1).
"For example if pos 3/0/0 goes down, Firewall Interface corresponding to Router interface (example VLAN 13) is not going down. "
It should failover considering that it is the only physical interface on VLAN 13 for each switch. I would say that because the interface policy default is 50% and you have three monitored interfaces was the reason why it didn't work. Did you try to set "failover interface-policy" to 1?
Hope it helps.
I hope you are aware that i am doing this with FWSM. It is not Appliance Firewall like ASA/PIX where we have physical interface that goes down when the device connected to it removed / powered off.
Here it is all VLAN interface which is not going down unless i remove it from firewall vlan-group configured in 6500 switch.
Also you pointed out that making POS 3/0/0 down should bring the failover. But the link up/down status of the pos 3/0/0 Interface is not reflecting in VLAN 13 which is the only SVI. Thus the firewall is no where aware that the link is down
What do to in this condition?
"I hope you are aware that i am doing this with FWSM. It is not Appliance Firewall like ASA/PIX where we have physical interface that goes down when the device connected to it removed / powered off.
I am aware of that fact. It is supposed to work that way also with FWSM. But like I said all the physical interfaces on the VLAN must be down for the VLAN itself to be considered down. Otherwise the interface monitoring would not make sense in the FWSM.
"Also you pointed out that making POS 3/0/0 down should bring the failover"
Did you try to set the "failover interface-policy" to 1 and test it?
Thanks for your involvement.
I tried configuring "failover interface-policy 1". Still the failover is not happening.
More over i like to know a point here. When Interface monitoring is configured, how the interface status is monitored. In other words, when the active FWSM try to find the reachability of standby FWSM is it using the failover Interface or Network Interfaces to send the keepalives.
I read that failover interface is used only for
1. Keepalive to test the unit status
2. ARP MAC exchange
3. Command replication