Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Number of interfaces needed for Stateful LAN based failover

Hello all,

We are looking to implement stateful LAN based failover using a pair of Cisco 525 PIX'es.

I plan on creating 3 interfaces, inside, outside & DMZ.

The documentation is not 100% clear on this, but I know I need another dedicated ethernet interface for the LAN-based failover.

Now to support Stateful Failover, do I need another dedicated ethernet port? This will make it a total of 5 interfaces per box, correct?

For reference, this is what I'm refering to:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_installation_guide_chapter09186a008017279d.html#1074614

Thanks,

-Peter

6 REPLIES
New Member

Re: Number of interfaces needed for Stateful LAN based failover

ACtually, there are two ways of doing failover, one is using the cable that appears on the URL you mention as reference. The other is using a fast ethernet interface. Depending on the traffic, you could use up to 2 interfaces for failover purposes.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_installation_guide_chapter09186a0080089b52.html#37233

New Member

Re: Number of interfaces needed for Stateful LAN based failover

Thanks for the reply.

We currently use failover with two PIX-520s and the serial failover cable.

I would like to use stateful-LAN failover with 2 PIX'es location in different data centers connected via fiber.

Does this mean using only 1 dedicated ethernet interface will provide both the LAN and Stateful failover capability?

Thanks,

-Peter

New Member

Re: Number of interfaces needed for Stateful LAN based failover

In this reference you will find explanation about what interfaces can be used and which cannot.Check this reference:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_field_notice09186a00800940f4.shtml

When you do Lan stateful failover, as I mentioned, depending on traffic, you can use only one interface or two.

Also verify these configuration examples:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb0c4.html#1002082

Re: Number of interfaces needed for Stateful LAN based failover

Hi,

However, those URLs does not tell you exactly what interface to use for the LAN-based failover. If I have PIX 525 with 3x1000Base-SX (GE) and 2x10/100Base-T (default) network ports, I can use the 3 GEs to provide high speed connection to my Outside, DMZ and Inside networks, and still have another 2x10/100Base-T ports to be used for LAN-based failover (stateful).

Question:

Can I simply use any port for the LAN-based failover? Any restriction/limitation due to the default value of security level (0 & 100)

Thanks

AK

New Member

Re: Number of interfaces needed for Stateful LAN based failover

After careful reading of the following document:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#1024836

I think it tells me that we can enable failover on a seperate link (if available) or use it with your LAN based failover link:

! Specifies the state link interface

primary(config)# failover link interface_name

!

! Identifies the Ethernet interface for the failover

! link.

primary(config)# failover lan interface interface_name

So my conclusion is that we don't need another dedicated link for the stateful failover feature. We'll see if this actually works when I get the hardware in!

Thank you all for the help.

-Peter

Cisco Employee

Re: Number of interfaces needed for Stateful LAN based failover

You don't have to have a dedicated interface for the stateful failover link, but if these PIX's are busy then it's strongly suggested that you do. You don't want to run the risk of missing your failover keepalives because the link is saturated with session replication information, but as I said, if they're not that busy then you should be fine using the same interface for your LAN and stateful interfaces.

We also strongly suggest that your stateful failover link is at least as fast as the fastest interface on the PIX, so if you have GigE int's on here used for normal traffic, we suggest you use a GigE int for your stateful failover. Again, if they're not that busy you could get away with using a FastE int, but it's suggested to use the GigE.

Hope that helps, my apologies for not seeing this post earlier.

269
Views
0
Helpful
6
Replies
CreatePlease to create content