[c-nsp] IOS Firewall sessions
Gert Doering
gert at greenie.muc.de
Fri May 26 12:43:46 EDT 2006
Hi,
On Fri, May 26, 2006 at 09:39:13AM -0700, Brian Stiff (bstiff) wrote:
> > > IOS Firewall Failover does not allow asymmetric routing,
> > active/active
> > > capability or load balancing.
> >
> > How is Cisco's recommendation to combine that with HSRP/GBLP?
> >
> > (where you just can't guarantee symmetric routing, in the
> > "general" case)
>
> Stateful Firewall Failover is only applicable with Active/Standby HSRP.
Even in active/standby HSRP cases, in "real world" scenarios it's hard
to guarantee symmetric routing - if a packet (for whatever reason, like
"upstream failure") ends up on the HSRP standby router, it will be
forwarded out onto the LAN...
Or did I miss the long-asked-for feature that will remove the "connected"
router for HSRP passive interfaces (to enforce symmetric routing)?
> IOS offers no capability to offer failover on any sort of active/active
> scenario, GLBP, or asymmetric routing. As I pointed out, the applicable
> use cases are limited.
Indeed.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list