[nsp] PIX 535 stateful failover
Ryan O'Connell
ryan at complicity.co.uk
Sun Jun 13 13:59:33 EDT 2004
ibr94 wrote:
>We will have two PIX 535 unrestristed, each has two Gigabit and 5 FE. The Gigabit used for inside and outside connection. Have read from the CCO, for stateful failover must use Gigabit interface and can't use VLAN in Gig interface.
>If I still configure fstateful failover in Ethernet interface, what will happen ? Or can I use one Gigabit intf for Inside and outside, and the other Gig intf for stateful failover ?
>
>
If you run the failover interface @100Mb/s and pass traffic on the GigE
interface, there's a danger that there won't be enough bandwidth
available on the 100Mb/s interface to keep the state tables in sync
between the two firewalls. I don't believe the PIX will actively prevent
you from doing this (I've never tried) but I'd strongly recommend
against it.
There's no reason - that I know of - why you couldn't run both the
inside and outside interfaces as VLANs on the same physical interface.
(There are some bizarre restrictions regarding interface naming and
security levels I've run across, but if it tries to stop you, you can
always call the inside interface something different and make it SL99
instead of SL100, which would have exactly the same effect anyway)
--
Ryan O'Connell - CCIE #8174
I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time
More information about the cisco-nsp
mailing list