Cisco Cisco IOS Software Release 12.4(6)T
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco IOS Firewall Stateful Failover
First Published: February 27, 2006
Last Updated: February 27, 2006
Last Updated: February 27, 2006
Stateful failover for the Cisco IOS firewall enables a router to continue processing and forwarding
firewall session packets after a planned or unplanned outage occurs. You employ a backup (secondary)
router that automatically takes over the tasks of the active (primary) router if the active router loses
connectivity for any reason. This process is transparent and does not require adjustment or
reconfiguration of any remote peer.
firewall session packets after a planned or unplanned outage occurs. You employ a backup (secondary)
router that automatically takes over the tasks of the active (primary) router if the active router loses
connectivity for any reason. This process is transparent and does not require adjustment or
reconfiguration of any remote peer.
Stateful failover for the Cisco IOS firewall is designed to work in conjunction with stateful switchover
(SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks,
ensuring that user traffic immediately and transparently recovers from failures in network edge devices
or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface
goes down, the whole router is deemed to be down and ownership of firewall sessions is passed to the
standby router (which transitions to the HSRP active state). SSO allows the active and standby routers
to share firewall session state information so that each router has enough information to become the
active router at any time. To configure stateful failover for the Cisco IOS firewall, a network
administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
(SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks,
ensuring that user traffic immediately and transparently recovers from failures in network edge devices
or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface
goes down, the whole router is deemed to be down and ownership of firewall sessions is passed to the
standby router (which transitions to the HSRP active state). SSO allows the active and standby routers
to share firewall session state information so that each router has enough information to become the
active router at any time. To configure stateful failover for the Cisco IOS firewall, a network
administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach
links to specific feature documentation in this module and to see a list of the releases in which each feature is
supported, use the
links to specific feature documentation in this module and to see a list of the releases in which each feature is
supported, use the
.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at
support. Access Cisco Feature Navigator at
. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
the login dialog box and follow the instructions that appear.