FWSM failover configuration

bapatsubodh · ‎08-10-2009

Hi,

We are in process of configuring FWSM failover. On cisco's website example is given with all the necessary commands.

I still have one doubt :(

Following is the configuration:

on FWSM

nameif 4000 failover 50

ip add failover 10.40.40.1 / 24

fail ip address failover 10.40.40.2 /24

fail lan int failover ( makes "failover" interface as failover interface and corresponding VLAN-in this case 4000 )

Now my doubt is if this VLAN 4000 is a failover interface over which all the connection tables and other signalling will be flowing for autofailover.

We will create VLAN 4000 and add it to this modeule vlan-group, by firewall vlan-group command. Do we need to add some ports to this vlan ( that is VLAN 4000) on both the switches and connect a cables between the corresponding ports.

For example : port gig2/5 will be made member of VLAN 4000 on both switches and connect a cable between these tow ports.

Or existing trunk which by default carries traffic for all VLAN's is sufficient.

Please share the experience.

Thanks in advance.

subodh

Jon Marshall · ‎08-11-2009

Subodh

"We will create VLAN 4000 and add it to this modeule vlan-group, by firewall vlan-group command. Do we need to add some ports to this vlan ( that is VLAN 4000) on both the switches and connect a cables between the corresponding ports.

For example : port gig2/5 will be made member of VLAN 4000 on both switches and connect a cable between these tow ports.

Or existing trunk which by default carries traffic for all VLAN's is sufficient."

It's really up to you. You can do it either way. What is important is if you use the existing trunk link that link must be reliable and not be overutilised as you do not want state information to be dropped.

The alternative as you say is to use another physical connection as a separate trunk and you can then use this trunk link to carry traffic for the stateful vlan and also all the other vlans for the FWSM.

Jon