[c-nsp] IOS Firewall sessions
Sam Stickland
sam_mailinglists at spacething.org
Tue May 30 05:01:33 EDT 2006
Hi,
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: 26 May 2006 17:44
> To: Brian Stiff (bstiff)
> Cc: Gert Doering; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IOS Firewall sessions
>
> Hi,
>
> On Fri, May 26, 2006 at 09:39:13AM -0700, Brian Stiff (bstiff) wrote:
> > > > IOS Firewall Failover does not allow asymmetric routing,
> > > active/active
> > > > capability or load balancing.
> > >
> > > How is Cisco's recommendation to combine that with HSRP/GBLP?
> > >
> > > (where you just can't guarantee symmetric routing, in the
> > > "general" case)
> >
> > Stateful Firewall Failover is only applicable with Active/Standby HSRP.
>
> Even in active/standby HSRP cases, in "real world" scenarios it's hard
> to guarantee symmetric routing - if a packet (for whatever reason, like
> "upstream failure") ends up on the HSRP standby router, it will be
> forwarded out onto the LAN...
>
> Or did I miss the long-asked-for feature that will remove the "connected"
> router for HSRP passive interfaces (to enforce symmetric routing)?
This sounds like quite a nice feature that would solve a lot of problems.
What do you mean by "remove"? Would it only remove it if it had an IGP
learned route for the subnet? Is there a danger of this causing routing
loops?
I assume that cisco have no official plans to implement this yet?
Sam
More information about the cisco-nsp
mailing list