Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PIX stateful failover and crossover cables

From: Jason Hamilton <Jason.Hamilton () InfoTechFL Com>
Date: Fri, 21 Jan 2005 17:20:34 -0500
The documentation on Cisco's site shows that the statefull failover can
be set up in 3 different ways:
 

From the installation guide on failover off of the CCO--

 
<snip>
Step 6 If you are using Stateful Failover, use one of the following types
of connections, that is appropriate for your system, between the dedicated
interfaces on the PIX Firewall units:
                                                                                                                        
   
•Cat 5 crossover cable directly connecting the Primary unit to the
Secondary unit.
                                                                                                                        
   
•100BaseTX half-duplex hub using straight Cat 5 cables.
                                                                                                                        
   
•100BaseTX full-duplex on a dedicated switch or dedicated VLAN of a switch
<pins>
 
Currently I have a system deployed with that configuration(cross-over cable)
and have seen no issues with the failover capabilities.
 
 
Your mileage may vary
 
Jason


On Fri, Jan 21, 2005 at 02:16:42PM -0600, Crissup, John (MBNP is) wrote:

 I have seen whitepapers from Cisco about configuring a stateful failover
link that specifically states not to use a crossover.  I'm not sure why,
wouldn't think it should matter, but they have put it in writing.  I
honestly can't remember at the moment if I created a VLAN for two ports, or
if I just used a cross-over anyway.  I'd have to go look.

  I would search the CCO site for how to configure the link to find the
statement.

--
John


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Dave
Breiland
Sent: Wednesday, January 19, 2005 11:13 AM
To: mkrbeck () hushmail com
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] PIX stateful failover and crossover cables

I sent the link a minute ago, but the quote resembling your question is...

"A dedicated LAN interface and a dedicated switch (or VLAN) is required to
implement LAN-based failover. You cannot use a crossover Ethernet cable to
connect the two PIX security appliances."

HOWEVER... I know that I have used crossover cables several times... and
know many people who feel it is acceptable.  It may not be best practice
though.

Dave



mkrbeck () hushmail com wrote:


I recall reading a detailed technical paper recently on the cisco site
where it was recommended that pix stateful interface traffic always be
passed thru a switch (as opposed to a x-over cable) between a pair of
pix chassis, regardless of whether the deployment is serial cable or
LAN failover, however I cannot find it again, would anyone have a link
for it or a copy ??

thanks
Martyn Beck




-- 
Jason Hamilton, System Administrator    |   5700 SW 34th St. Suite 1235
Info Tech, Inc.                         |   Gainesville, FL 32608
Jason.Hamilton () InfoTechFl com           |   (352)381-4400 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: