Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

link failover

Hi,

I have a main office with 2 6509 and one branch office with 2 2851 router.

from branch office 2 links are coming to head office one is on Fibre link point to point another is on Microwave point to point.  These 2 links we have terminated to FWSM module on 6509 ( fibre on primary and microwave on secondary switch).  We have configured context on FWSM module.

But the problem is we are not able to make the failover.....route monitor is configured...  I am making the fibre link down...but still traffice is not shifting to microwave link.

anyone can help on this...how do I configure failover on FWSM.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: link failover

Hello Goutam,

I would use a VRF on the two C6500 and I would use a routing protocol in VRF.

On the VRF I would put also a Vlan that would connect the outside of a context on the FWSM.

In this way you can have all the dynamic routing capabilities of the MSFC you would keep the branch separated from central site with FWSM to make a controlled communication.

on the vlan used as outside the two MSFCs can offer a VIP HSRP used as IP next-hop for the IP subnets of the remote branch.

a default static route in VRF  pointing to FWSM ip address on the outside completes the solution.

The inside interface of the FWSM context can connect to the central site and it can be the next-hop for static routes in the global routing table.

We have used this solution successfully.

On the FWSM you can control with ACLs what can be accessed by branch IP subnets

Hope to help

Giuseppe

Hall of Fame Super Silver

Re: link failover

Hello Marwan,

>> both links have to be in  the VRF vlan ?

yes, this is what I  was meaning

Branch1 -------------link1-----------  MSFC/VRF ---------------- FWSM(active)

Branch1 --------------link2------------MSFC/VRF ---------------- FWSM(active)

the FWSM sees the branch IP subnets via static routes that use IP next-hop = HSRP VIP on the VRF vlan

By the way, it is similar to what I have proposed for Sairam in the other thread with here the added redundancy of having two links, two C6500 and two FWSM.

FWSM in multi context doesn't support dynamic routing, so the use of the VRF allows to use routing capabilities of MSFC without the risk of bypassing the firewall FWSM.

Hope to help

Giuseppe

5 REPLIES
Hall of Fame Super Silver

Re: link failover

Hello Goutam,

I would use a VRF on the two C6500 and I would use a routing protocol in VRF.

On the VRF I would put also a Vlan that would connect the outside of a context on the FWSM.

In this way you can have all the dynamic routing capabilities of the MSFC you would keep the branch separated from central site with FWSM to make a controlled communication.

on the vlan used as outside the two MSFCs can offer a VIP HSRP used as IP next-hop for the IP subnets of the remote branch.

a default static route in VRF  pointing to FWSM ip address on the outside completes the solution.

The inside interface of the FWSM context can connect to the central site and it can be the next-hop for static routes in the global routing table.

We have used this solution successfully.

On the FWSM you can control with ACLs what can be accessed by branch IP subnets

Hope to help

Giuseppe

Re: link failover

hi Giuseppe

i found this solution interesting, but i cant understand how this will provide failover from the MSFC outside perspective i mean between the sites not between the MSFC and the FWSM ?

also the solution above uses a VRF to be connected to the fiber link and the global routing to be connected to the other link !!

or both links have to be in  the VRF vlan ?

thank you

Hall of Fame Super Silver

Re: link failover

Hello Marwan,

>> both links have to be in  the VRF vlan ?

yes, this is what I  was meaning

Branch1 -------------link1-----------  MSFC/VRF ---------------- FWSM(active)

Branch1 --------------link2------------MSFC/VRF ---------------- FWSM(active)

the FWSM sees the branch IP subnets via static routes that use IP next-hop = HSRP VIP on the VRF vlan

By the way, it is similar to what I have proposed for Sairam in the other thread with here the added redundancy of having two links, two C6500 and two FWSM.

FWSM in multi context doesn't support dynamic routing, so the use of the VRF allows to use routing capabilities of MSFC without the risk of bypassing the firewall FWSM.

Hope to help

Giuseppe

Re: link failover

thank you Giuseppe

New Member

Re: link failover

Hi,

Thanks...I have successfully implemented and running...

Thanks a lot..

503
Views
5
Helpful
5
Replies