[c-nsp] IOS Firewall sessions
Joe Maimon
jmaimon at ttec.com
Mon May 29 10:27:59 EDT 2006
Gert Doering wrote:
> Hi,
>
> On Fri, May 26, 2006 at 08:58:55AM -0700, Brian Stiff (bstiff) wrote:
>
>>IOS Firewall Failover does not allow asymmetric routing, active/active
>>capability or load balancing.
>
>
> How is Cisco's recommendation to combine that with HSRP/GBLP?
>
> (where you just can't guarantee symmetric routing, in the "general" case)
>
> gert
Just to clarify, IOS not allowing assymetric routing means that CBAC
will kill packets that appear to be assymetric, not merely "fail to
create a session allowing return". At least that was my experience.
Makes it quite hard to mix together multiple ISP customer agg points,
managed FW services and seperate IGP's for customer routes and internal
routes while trying to provide redundancy to said customer.
More information about the cisco-nsp
mailing list