Cable-based and LAN-based Configurations

Cable-based (serial) and LAN-based configurations dictate how the primary and secondary firewalls are linked together to provide failover support. The following provides an overview of each.

Both cable-based and LAN-based configurations support stateful failover solutions.

Cable-based Configurations

A cable-based configuration ”also known as serial-based ”requires a special serial cable from Cisco to connect the firewalls. The cable can be up to 6 feet in length and connects the dedicated failover port on the PIX models 515 and above. Before software version 5.2, the maximum speed that software provided across the serial cable was only 9.6Kbps; however, it's now 115Kbps.

This connection provides a means to replicate RAM information from the active to the standby firewall and provides detection of power loss on the other side. However, the limiting factor for this setup is that the distance between the firewalls can be only 6 feet.

The special Cisco serial cable allows the detection of power on the other firewall. The cable is also labeled with the words "primary" and "secondary" to make installation easy.

LAN-based Configurations

A LAN-based configuration has been introduced in version 6.2 of the PIX firewall software. This enables the use of a dedicated Ethernet interface to perform the same functions as the serial cable-based configuration does. However, you are no longer restricted by the 6- foot distance limitation.

Some restrictions do exist when using LAN-based configurations. The two interfaces dedicated for LAN-based failover must be on the same subnet, so the two firewalls can't travel through a router. Another limitation is that the interface is completely dedicated to the failover monitoring and configuration and therefore should not be on the same LAN/broadcast domain as any other device. When linking the two firewalls, you must use a dedicated hub, switch, or VLAN. Please note that you cannot use a CAT 5 crossover cable for this connection. Figure 11.3 shows a typical LAN-based failover configuration.

Figure 11.3. A LAN-based configuration.

graphics/11fig03.gif

The LAN-based connection must be through a dedicated hub, switch, or VLAN on a switch ”do not use a crossover cable.

Hardware and Software Requirements

Providing firewall failover capabilities involves several basic hardware and software requirements. The firewalls must have the following:

Same PIX firewall hardware models
Same amount of RAM memory
Same amount of flash memory
Same type and number of interfaces
Special serial cable (optional)
Same version of software
Same activation keys for DES or 3DES

When configuring for failover, firewall models need to be exactly the same all the way down to their memory sizes.

Hardware

The PIX firewalls need to have the same hardware models for failover to work properly, but failover support is not available on all models. The 501, 506, and 506E do not support failover functionality; only the 515 and above models do.

Software

Software on the two firewalls also needs to be the same version number; otherwise , failover might not work properly.

Every model of the PIX firewall, including the 501, uses the same software ”activation keys just enable extra features within the software. However, you still cannot use failover on the lower models.

Licensing

Activations keys also need to be installed to enable the failover functionality of the software. Cisco has several licensing features for failover, as listed in Table 11.1.

Table 11.1. Licenses

License	Description
UR	The unrestricted license must be used on the primary (active) firewall and can optionally be used on the secondary (standby) firewall.
FO	The failover license is used for secondary standby modes only.
R	The restricted license cannot be used for either the primary or secondary firewall.