Configuration Steps

Configuration Steps

Two protocols that help in attaining redundancy between two FWSMs are a failover protocol, and a logical update (LU) protocol. The failover protocol monitors the health of both FWSMs and their interfaces at fixed intervals, whereas the LU protocol ensures the replication of the connection table to the Secondary unit, to maintain the data flow of existing connections upon failover. Work through the following steps to configure Failover:

Step 1.
Be sure to fulfill the minimum requirements.

Before attempting to configure for Failover, you must fulfill the following minimum requirements for it to operate correctly:

  1. Both FWSMs must be running the same version of FWSM software.

  2. Both must have the same number of VLANS mapped from the switch. Also be sure to configure the same number of interfaces on both units.

  3. Both units must be Layer 2 adjacent on all their interfaces. In other words, all interfaces must be capable of exchanging Layer 2 broadcast packets (Address Resolution Protocol [ARP] and so on) between each other, as the failover protocol packets cannot be routed.

  4. When running multiple modes, both modules must have the same licensing characteristicsfor example, the number of contexts, and so on. (This is not applicable for FWSM 1.x.)

  5. Both modules must run in the same mode; a single mode unit cannot be paired with a multiple mode unit. (This is not applicable for FWSM 1.x.)

  6. Both firewalls must agree on operating either as routed or transparent. (This is not applicable for FWSM 1.x.)
Step 2.
Configure two additional VLANs on the switch and map them to FWSM for the failover interface and the stateful failover link.

You must create a VLAN on the switch and map this VLAN to the failover interface of both primary and secondary FWSMs. If your FWSMs are in different chassis, you must configure a trunk link to carry the VLAN to the other switch. If the FWSM modules are in the same chassis, be sure to map the VLANs that you have created to both of the FWSMs. The same thing applies for the stateful failover link. It is strongly recommended to create two separate VLANs for the failover interface and the stateful failover link. In the native IOS, you can create a layer 2 VLAN with the vlan command in configuration mode. In hybrid mode, you can do the same with the set vlan command.

The LU protocol can generate large (up to 700Mbps) amounts of traffic. If the LAN and link interfaces are not dissociated, providing guaranteed output queue servicing to the failover protocol can be difficult when there is congestion. For instance, VLAN 100 could be dedicated to carrying the LU traffic, while VLAN 101 takes care of the failover protocol. Both VLANs can be trunked using 801.Q between the two switches.
Step 3.
Configure the failover LAN interface and the failover link.

For failover to operate on the FWSM, a failover communication interface must be configured. This is the LAN interface over which failover protocol packets will travel. To configure stateful failover, use the same interface or a different one to carry LU traffic. With the previous steps, be sure to configure the VLANs for the failover interface and stateful failover link. Execute show vlan on both FWSMs to ensure that both VLANs (among other VLANs) are downloaded to the FWSM. Once the VLANs are downloaded, you can configure the failover interfaces with the following commands if you are running a FWSM version earlier than 2.x:

nameif VLAN_NUMBER interface_name security_level
ip address interface_name IP_address netmask
failover lan interface <if_name>
failover link <if_name>

Example 4-16 shows the primary FWSM's configuration in single mode with the inside VLAN10, the outside VLAN30, and the failover VLAN 400 with FWSM version 1.x