Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : LAN-Based Failover Configuration

LAN-Based Failover Configuration

Feb 15,2010 by alperen

small font medium font large font
image

PIX Firewall version 6.2 introduces support for LAN-based failover, eliminating the need for the Failover serial cable to connect the primary and secondary units. LAN-based failover overcomes the six-foot distance limitations of the Failover cable.

A dedicated LAN interface and a dedicated switch/hub (or VLAN) is required to implement LAN-based failover. An Ethernet crossover cable can’t be used to connect the two PIX Firewalls.

Because failover messages might be transmitted over Ethernet connections that are relatively less secure than the dedicated Failover serial cable, PIX Firewall version 6.2 provides message encryption and authentication using a manual preshared key.

The four command mode failover lan commands include the following syntax. Each uses the no form of the command to remove the feature.

Pix(config)# failover lan unit {primary | secondary}
Pix(config)# failover lan interface if_name Pix(config)# failover lan key key_secret
Pix(config)# failover lan enable

enable

Enables LAN-based failover; otherwise, serial cable failover is used

key

Enables encryption and authentication of LAN-based failover messages

key_secret

The shared secret key for encryption

primary | secondary

Specifies the unit to be primary or secondary PIX Firewall to use for LAN-based failover. Equivalent of serial cable labels

The basic configuration of the active firewall doesn’t change and won’t be restated here. The LAN-based failover does require some configuration on the standby unit and those commands are addressed here. If properly configured, the LAN-based failover configurations for the two units will be different, reflecting which is primary and which is secondary. To configure LAN-based failover, follow these steps:

  1. Don’t connect the failover LAN interfaces until told to do so.

  2. Configure the primary PIX Firewall unit as previously discussed.

  3. Still on the primary unit, connect the LAN failover interface to the network and add the following lines to configure the LAN-based failover. Lanlink is the interface (Ethernet4) used for the failover connection, while 1234567 is the key used for encrypting traffic over the LAN failover link.

    Pix(config)# no failover 
    Pix(config)# failover lan unit primary 
    Pix(config)# failover lan interface lanlink
    Pix(config)# failover lan key 1234567 
    Pix(config)# failover lan enable 
    Pix(config)# failover

  4. Use the write memory command to save the primary unit configuration to Flash.

  5. Power on the secondary unit without the LAN-based failover interface connected. The following commands are necessary for the secondary unit to connect to the primary unit using the LAN-based failover interface. Once this connection is established, the rest of the primary unit configuration is replicated over the failover connection.

    Pix2(config)# nameif ethernet4 lanlink security20 
    Pix2(config)# interface ethernet4 100full 
    Pix2(config)# ip address lanlink 192.168.3.1 255.255.255.0 
    Pix2(config)# failover ip address lanlink 192.168.3.2 
    Pix2(config)# failover lan unit secondary                    (optional) 
    Pix2(config)# failover lan interface lanlink
    Pix2(config)# failover lan key 1234567 
    Pix2(config)# failover lan enable 
    Pix2(config)# failover

  6. Use the write memory command to save the secondary unit configuration to Flash.

  7. Reboot both units and connect the LAN-based failover interfaces to the designated failover switch, hub, or VLAN.

  8. If any of the failover lan command needs to be changed, you need to disconnect the LAN-based failover interface and repeat the preceding steps.


1644 times read

Related news
» PIX Failover Feature
by alperen posted on Feb 15,2010
» Verifying Failover Configuration
by alperen posted on Feb 15,2010
» Failover Configuration with Failover Cable
by alperen posted on Feb 15,2010
» Understanding Failover
by alperen posted on Feb 15,2010
» Catalyst 6500 Supervisor High Availability (Native)
by admin posted on Jul 08,2008
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 2 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.