Home
Certification Preparation
Cisco
CCNP
FWSM Active/Standby configuration.
FrankGuthrie
If I have 2 firewalls, 1 active, 1 standby and I need to create an VLAN interface on them, how can I add 2 non-duplicate IP addresses.
If I'm logging in on the 2 different firewall, I always end up with the name of the active one and the configuration of the active one. The only reason I know I'm on the standby is by using the
#sh fail
command.
However when looking at the running config I see the same exact config on both firewall, which makes sense because the other will take over if 1 goes down. The problem is, when I create a new VLAN interface, do I need to do this on both firewalls. And how to do this?
When I create the VLAN interface on the active 1 I'll use the following command for IP assignement:
#ip address 192.168.1.1 255.255.255.0 standby
192.168.1.2
The problem is when logging on the failover, I don't see the
192.168.1.2
address as primary IP address, but I see the same IUP addresses as the one on the active firewall. This is probably because the primary is syncing to the secondary. How can I see the true /actual config on the failover?
Because when I log in on the failover and check the same VLAN interface I see
ip address 192.168.1.1 255.255.255.0 standby
192.168.1.2
On the failover I would expect to see this:
ip address 192.168.1.2 255.255.255.0 standby
192.168.1.1
Find more posts tagged with
Comments
EdTheLad
Been a while since i've played with the fwsm but from what i remember:
1) Once both fwsm's are synched you only config on the active
2) When configuring the vlan interface, the config is applied only to the active, the standby will be told what ip address to use if the active fails, the only config relevant on the standby is the config that is used to synch to the active.
3) You need to stop looking at this failover pair as 2 separate entities, once synched, it's the same logical entity.
FrankGuthrie
Hi Ed,
So I don't need to use 2 set of IP addresses when I deploy 2 Firewall in an active/standby configurations, just 1 set IP addresses, and 2 pieces of hardware, correct?
The strange thing is thht i've seen somewhere in our network we had the same setup, but the failover firewall had different IP addreses. I was told that this was done to not have duplicate IP address in the network. When the active fails, the failover takes over the IP addresses of the Active and drop it's own IP addresses.
EdTheLad
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
Assigns 192.168.1.1 to the active and 192.168.1.2 to the standby. It's possible that there is another way to set this up, its been a year since i played with it, so i cant remember. FWSM is end of life, so i wouldn't waste too much time on it.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
