Failover Clarification

Can someone clarify the following for me as I have read conflicting articles. Questions refer to PIX 6.X

1) Standard Failover

Configured ordinarily with Serial cable. Serial cable replicates firewall config between Active and Standby. This design does not provide Stateful Failover

2) Stateful Failover

Can be achieved in 1 of 2 ways.

Serial Cable + Crossover Cable

Using Serial cable and additional Crossover cable between Active & Standby units. Serial cable replicates config between the 2 x units whilst Crossover cable acts as stateful Failover link. Stateful link requires an Ethernet connection hard coded to either 100BaseT or Gig depending on Interfaces

Alternatively............

LAN based Failover. LAN connection between 2 x PIX's must be via a Hub or Switch hard coded to 100BaseT or Gig. LAN connection can be used as Stateful connection, however, recommendation is that separate Ethernet link between 2 x PIX's is used.

Assuming an additional Ethernet link is used for Stateful Failover, this connection can be a crossover cable. A serial cable would not be used.

Regards

Darren

Reply to
Darren Green
Loading thread data ...

You seem to have forgotten to post the question?! There is nothing contradictory about the above statements if you recognize that in any primary/secondary failover configuration (PIX or other service) there are multiple requirements which must be met:

1 - the backup must be able to reliably detect failure of the primary.

2 - the backup must be able to keep track of what the primary is doing.

3 - the backup must be able to distinguish between primary failure and failure of the communications path to the primary.

The special PIX serial cable is designed to do number 1 keeping number 3 in mind. Stateful failover requires number 2 which in turn requires more bandwidth than the serial link can provide. LAN based failover makes number 3 very difficult. Number 3 is non-trivial and absolutely necessary--consider the impact of the backup taking over while the primary is still in operation--do a search on STONITH for the gory details (STONITH == shoot the other node in the head).

Good luck and have fun!

Reply to
Vincent C Jones

Vincent,

Thank you.

I was trying to sum up what I believed I had read in various articles / Cisco Press literature. Due to take the PIX exam soon. I was 99% there but the additional 1% can make all the difference.

Appreaciate the help.

Regards

Darren

Reply to
Darren Green

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.