RE: [fw-wiz] PIX stateful failover and crossover cables
From: Jason Hamilton (Jason.Hamilton_at_InfoTechFL.Com)
Date: 01/21/05
- Previous message: Jason Hamilton: "Re: [fw-wiz] Once again..appliance firewall input requested"
- Maybe in reply to: mkrbeck_at_hushmail.com: "[fw-wiz] PIX stateful failover and crossover cables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Fri, 21 Jan 2005 17:20:34 -0500
The documentation on Cisco's site shows that the statefull failover can
be set up in 3 different ways:
From the installation guide on failover off of the CCO--
<snip>
Step 6 If you are using Stateful Failover, use one of the following types
of connections, that is appropriate for your system, between the dedicated
interfaces on the PIX Firewall units:
•Cat 5 crossover cable directly connecting the Primary unit to the
Secondary unit.
•100BaseTX half-duplex hub using straight Cat 5 cables.
•100BaseTX full-duplex on a dedicated switch or dedicated VLAN of a switch
<pins>
Currently I have a system deployed with that configuration(cross-over cable)
and have seen no issues with the failover capabilities.
Your mileage may vary
Jason
On Fri, Jan 21, 2005 at 02:16:42PM -0600, Crissup, John (MBNP is) wrote:
> I have seen whitepapers from Cisco about configuring a stateful failover
> link that specifically states not to use a crossover. I'm not sure why,
> wouldn't think it should matter, but they have put it in writing. I
> honestly can't remember at the moment if I created a VLAN for two ports, or
> if I just used a cross-over anyway. I'd have to go look.
>
> I would search the CCO site for how to configure the link to find the
> statement.
>
> --
> John
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Dave
> Breiland
> Sent: Wednesday, January 19, 2005 11:13 AM
> To: mkrbeck@hushmail.com
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] PIX stateful failover and crossover cables
>
> I sent the link a minute ago, but the quote resembling your question is...
>
> "A dedicated LAN interface and a dedicated switch (or VLAN) is required to
> implement LAN-based failover. You cannot use a crossover Ethernet cable to
> connect the two PIX security appliances."
>
> HOWEVER... I know that I have used crossover cables several times... and
> know many people who feel it is acceptable. It may not be best practice
> though.
>
> Dave
>
>
>
> mkrbeck@hushmail.com wrote:
>
> >I recall reading a detailed technical paper recently on the cisco site
> >where it was recommended that pix stateful interface traffic always be
> >passed thru a switch (as opposed to a x-over cable) between a pair of
> >pix chassis, regardless of whether the deployment is serial cable or
> >LAN failover, however I cannot find it again, would anyone have a link
> >for it or a copy ??
> >
> >thanks
> >Martyn Beck
-- Jason Hamilton, System Administrator | 5700 SW 34th St. Suite 1235 Info Tech, Inc. | Gainesville, FL 32608 Jason.Hamilton@InfoTechFl.com | (352)381-4400 _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jason Hamilton: "Re: [fw-wiz] Once again..appliance firewall input requested"
- Maybe in reply to: mkrbeck_at_hushmail.com: "[fw-wiz] PIX stateful failover and crossover cables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
