Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HSRP with Zone Based Firewall

Status
Not open for further replies.
creeping666

creeping666

Technical User
Jan 21, 2009
24
NZ
Hi, pretty much the title says it all. Is it possible to run HSRP while using the zone based firewall or do you have to use CBAC?
Two routers I will be using: 881 and 877.

The only info I could find was a bit confusing. see below...



"Note: High Availability Stateful Failover supports only Cisco IOS Classic Firewall and does not support Cisco IOS Zone-Based Firewall."

found at:


20100518105337.png


found at:



"Cisco IOS Classic Firewall introduced active-standby stateful failover in Cisco IOS Software Release 12.4(6)T. Active-standby stateful failover is applied with stateful switchover, a component of HSRP that provides for synchronization of state information for services that offer stateful failover. Thus, Cisco IOS Classic Firewall stateful failover is generally limited to platforms offering stateful switchover capability"

found at:

So is HSRP a part of active-standby stateful failover or is active-standby stateful failover part of HSRP or are they complete different things?

I don't have these routers in place yet so I can not do any testing and would like to pre-configure them.

Thanks.
 
Sort by date Sort by votes
What those are saying is that active-standby in routers cannot synch the stateful info for tcp/udp connections, like ASA's can. The diagrams in those links are not HSRP---HSRP involves 3 routers and a switch---when the failover occurs, users still send traffic out the trusted zone in the third router which has the ZBF in it. Both of the interfaces going into the third router (one each from each router) can belong to the same trusted zone. So I say yes---and that doc is not about HSRP. I am not sure what they mean by stateful failover, but it seems that one router cannot pass its stateful info to another router via the heartbeat link like an ASA can...they want you to buy an ASA for failover and the router to route, in other words---sales ploy...lol

So yes---HSRP and ZBF should jive, as long as the ZBF is in the third router.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
463
BIS
BIS
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
142
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
208
Geraldine Souza
Geraldine Souza
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
163
burtsbees
burtsbees
Collab_Guy
  • Locked
  • Question
Anyone using automation with their CUCM?
Replies
1
Views
142
kyle555
kyle555

Part and Inventory Search

Sponsor

Back
Top