cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
439
Views
0
Helpful
4
Replies

Pix Pair Without Serial Connection?

mmedwid
Level 3
Level 3

Is it possible to have a stateful redundant pair of pixes without using the serial cable? Or is it the case that some aspects of failover can not live without the serial connection between the two members of the pair? Thanks.

1 Accepted Solution

Accepted Solutions

a.kiprawih
Level 7
Level 7

*******************

Security - Firewall

*******************

Hi,

Yes, it's possible. There is feature called LAN-Based failover that provide alternative solution to serial-based Firewall connectivity.

This is due to the length/distance limitation of serial cable.

With LAN-based failover, the PIXs distance is subjected to max LAN/Ethernet cable distance (IEEE 802.3), as long as it maintain < 100meter.

Apart fromn your stateful link, you need to allocate another dedicated port on each Firewall for this (replace serial cable), and connect them to a hub or switch (same VLAN group).

The only setback using LAN-Based is that failover process or failure detection will slightly slower than cable-based setup. Other than that, it looks very similar to serial-cable setup.

The following URLs provides a technical & sample config:

PIX6.3:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1024836

PIX7.x

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html

Rgds,

AK

View solution in original post

4 Replies 4

a.kiprawih
Level 7
Level 7

*******************

Security - Firewall

*******************

Hi,

Yes, it's possible. There is feature called LAN-Based failover that provide alternative solution to serial-based Firewall connectivity.

This is due to the length/distance limitation of serial cable.

With LAN-based failover, the PIXs distance is subjected to max LAN/Ethernet cable distance (IEEE 802.3), as long as it maintain < 100meter.

Apart fromn your stateful link, you need to allocate another dedicated port on each Firewall for this (replace serial cable), and connect them to a hub or switch (same VLAN group).

The only setback using LAN-Based is that failover process or failure detection will slightly slower than cable-based setup. Other than that, it looks very similar to serial-cable setup.

The following URLs provides a technical & sample config:

PIX6.3:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1024836

PIX7.x

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html

Rgds,

AK

Great - thank-you. I took over a pre-existing network that appears to be configured for LAN based failover but they have the serial cables still attached. Trying to figure out what they were up to. I'll lab this out and try to move toward relying complete on the LAN failover.

Hi AK,

Do you have any experience doing LAN based FO on Pix 535 with GE where the State and Failover links on the same interface (using a switch in between)? The docs say with Pix 535 with Gig, GE is required for the state link. It seems like it should be okay, but the fact that the docs specify Gig makes me nervous of how it would work in times of heavy load? If you (or anyone else) has any experience with this kind of situation then your feedback is greatly appreciated.

Thanks,

Don

Hi Don,

I have tested both LAN-based and serial-based failover, but serial cable was selected due to insifficient GE ports, plus both Firewalls are installed in the same rack (stacked).

I prefer to use separate GE, eventhough you can use same GE for 2 fucntions.

The reason why GE is recommended is to enable traffic/sessions/info to be transferred to the standby unit without any/minimum delay. It is not wrong to use 10/100Mbps port, but the setback is it'll be slower, especially when failover occured during heavy traffic/load. That's why GE is recommended.

Rgds,

AK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: