I currently have 3 ISP providers, 2 of them are our own and the other is provide by our parent company through the WAN link, I also Have two Physical Segments, 10.10.4.x and 10.10.8.x each is assighed its own Internet connection, these two segments are connected via a router 2600(10.10.4.253, 10.10.8.253) currently 10.10.4.x get internet access from FW1 and 10.10.8.x gets internet access from FW2. What I would like to do, or find out if I can set up the router to failover to the opposite FW if one of the FW goes down. say if FW1 goes down 10.10.4.x internet traffic should get routed to FW2 and vice Versa. here is my current config.
ip access-list extended int_routes
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
route-map groupa permit 10
match ip address int_routes
set ip address next-hop FW1
route-map groupb permit 10
match ip address int_routes
set ip address next hop FW2
interface gigabitEthernet 0/1
ip policy route-map groupa
interface gigabitEthernet 0/10
ip policy route-map groupb
I tried to add a second next-hop to group a with the ip address of FW2 but it did work. it just time out. let me know if i am missing something from in my config.
This issue because the outgoing interface facing multi access network (LAN segment)
It's give you timeout because the address still founded on the ARP even if it's incomplete the router will keep trying to find the ARP recored for the failed FW till find it or timeout(4 hours)during this the traffic routed to null, so the traffic never forwarded to the second FW address,
So i guess If you can use tow different HSRP groups on the firewalls and overlap both groups to be like that
(FW1=ACTIVE in group1 and standby in group2, FW2=ACTIVE in group2 and standby in group1)
Then set the next-hop ip to the active FW then standby address in each group (overlap)
So now you can solve the ARP issue as one of the firewalls must replay with the active group MAC address.
Thanks for your responce, but can you give me an example using the diagram for my environment. Both Physical segments are split by one router. so i dont understand how HSRP would work?? please elaborate.
Sorry for that i understand your design wrong, i was think that your FW is IOS-FW, also i was think that both FWs connected to the same segment via different interfaces, HSRP is ideal solution if your firewalls supporting HSRP and both of them connected to the switch or at least both switches interconnected, if this matrix match your design so let me know and i will provide you with the design.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...