| Author |
Message |
Darren Green
Guest
|
 Posted:
Sun Dec 11, 2005 4:56 pm Post subject:
Failover Clarification |
|
|
Can someone clarify the following for me as I have read conflicting
articles. Questions refer to PIX 6.X
1) Standard Failover
Configured ordinarily with Serial cable. Serial cable replicates
firewall config between Active and Standby. This design does not provide
Stateful Failover
2) Stateful Failover
Can be achieved in 1 of 2 ways.
Serial Cable + Crossover Cable
Using Serial cable and additional Crossover cable between Active &
Standby units. Serial cable replicates config between the 2 x units
whilst Crossover cable acts as stateful Failover link. Stateful link
requires an Ethernet connection hard coded to either 100BaseT or Gig
depending on Interfaces
Alternatively............
LAN based Failover. LAN connection between 2 x PIX's must be via a Hub
or Switch hard coded to 100BaseT or Gig. LAN connection can be used as
Stateful connection, however, recommendation is that separate Ethernet
link between 2 x PIX's is used.
Assuming an additional Ethernet link is used for Stateful Failover, this
connection can be a crossover cable. A serial cable would not be used.
Regards
Darren |
|
| Back to top |
|
 |
Vincent C Jones
Guest
|
| Posted:
Mon Dec 12, 2005 6:11 pm Post subject:
Re: Failover Clarification |
|
|
Darren Green <darrenfgreen@XnospamXbtopenworld.com> wrote:
| Quote: | Can someone clarify the following for me as I have read conflicting
articles. Questions refer to PIX 6.X
1) Standard Failover
Configured ordinarily with Serial cable. Serial cable replicates
firewall config between Active and Standby. This design does not provide
Stateful Failover
2) Stateful Failover
Can be achieved in 1 of 2 ways.
Serial Cable + Crossover Cable
Using Serial cable and additional Crossover cable between Active &
Standby units. Serial cable replicates config between the 2 x units
whilst Crossover cable acts as stateful Failover link. Stateful link
requires an Ethernet connection hard coded to either 100BaseT or Gig
depending on Interfaces
Alternatively............
LAN based Failover. LAN connection between 2 x PIX's must be via a Hub
or Switch hard coded to 100BaseT or Gig. LAN connection can be used as
Stateful connection, however, recommendation is that separate Ethernet
link between 2 x PIX's is used.
Assuming an additional Ethernet link is used for Stateful Failover, this
connection can be a crossover cable. A serial cable would not be used.
Regards
Darren
|
You seem to have forgotten to post the question?! There is nothing
contradictory about the above statements if you recognize that in any
primary/secondary failover configuration (PIX or other service) there
are multiple requirements which must be met:
1 - the backup must be able to reliably detect failure of the primary.
2 - the backup must be able to keep track of what the primary is doing.
3 - the backup must be able to distinguish between primary failure and
failure of the communications path to the primary.
The special PIX serial cable is designed to do number 1 keeping
number 3 in mind. Stateful failover requires number 2 which in turn
requires more bandwidth than the serial link can provide. LAN based
failover makes number 3 very difficult. Number 3 is non-trivial and
absolutely necessary--consider the impact of the backup taking over
while the primary is still in operation--do a search on STONITH
for the gory details (STONITH == shoot the other node in the head).
Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com |
|
| Back to top |
|
|
Darren Green
Guest
|
| Posted:
Mon Dec 12, 2005 7:41 pm Post subject:
Re: Failover Clarification |
|
|
Vincent C Jones wrote:
| Quote: | You seem to have forgotten to post the question?! There is nothing
contradictory about the above statements if you recognize that in any
primary/secondary failover configuration (PIX or other service) there
are multiple requirements which must be met:
1 - the backup must be able to reliably detect failure of the primary.
2 - the backup must be able to keep track of what the primary is doing.
3 - the backup must be able to distinguish between primary failure and
failure of the communications path to the primary.
The special PIX serial cable is designed to do number 1 keeping
number 3 in mind. Stateful failover requires number 2 which in turn
requires more bandwidth than the serial link can provide. LAN based
failover makes number 3 very difficult. Number 3 is non-trivial and
absolutely necessary--consider the impact of the backup taking over
while the primary is still in operation--do a search on STONITH
for the gory details (STONITH == shoot the other node in the head).
Good luck and have fun!
|
Vincent,
Thank you.
I was trying to sum up what I believed I had read in various articles /
Cisco Press literature. Due to take the PIX exam soon. I was 99% there
but the additional 1% can make all the difference.
Appreaciate the help.
Regards
Darren |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in