Cisco Cisco Catalyst 6500 Series Firewall Services Module 문제 해결 가이드
If the primary unit is in multiple context mode, the secondary unit must also be in multiple context mode. You
do not need to configure the firewall mode of the security contexts on the secondary unit because the failover
and state links reside in the system context. The secondary unit obtains the security context configuration
from the primary unit.
do not need to configure the firewall mode of the security contexts on the secondary unit because the failover
and state links reside in the system context. The secondary unit obtains the security context configuration
from the primary unit.
Note: The mode command does not get replicated to the secondary unit.
Note: Multicast is not supported in the multiple context mode of the security appliance. Refer to the
Unsupported Features section for more information.
Unsupported Features section for more information.
Software Requirements
The two units in a failover configuration must have the same major (first number) and minor (second number)
software version. However, you can use different versions of the software during an upgrade process. For
example, you can upgrade one unit from Version 3.1(1) to Version 3.1(2) and have failover remain active.
Cisco recommends to upgrade both units to the same version to ensure long−term compatibility.
software version. However, you can use different versions of the software during an upgrade process. For
example, you can upgrade one unit from Version 3.1(1) to Version 3.1(2) and have failover remain active.
Cisco recommends to upgrade both units to the same version to ensure long−term compatibility.
Minimal FWSM Configuration for Stateful Failover
Primary FWSM
failover lan unit primary
failover lan interface if_name vlan vlan
failover interface ip if_name ip_addr mask standby ip_addr
failover link if_name vlan vlan
failover interface ip if_name ip_addr mask standby ip_addr
Secondary FWSM
failover lan unit secondary
failover lan interface if_name vlan vlan
failover interface ip if_name ip_addr mask standby ip_addr
failover link if_name vlan vlan
failover interface ip if_name ip_addr mask standby ip_addr
For more information on how to configure Active and Standby failover, refer to Configuring Active/Standby
Failover.
Failover.
Minimal Switch Configuration
The VLANs sent to the primary FWSM by the Catalyst that contains the primary must match the
VLANs sent to the secondary FWSM by the Catalyst that contains the secondary. (Output of the show
run | i firewall command must be identical.)
VLANs sent to the secondary FWSM by the Catalyst that contains the secondary. (Output of the show
run | i firewall command must be identical.)
Primary Chassis
cat6k−7(config)#do sh run | i fire
firewall multiple−vlan−interfaces
firewall module 9 vlan−group 1
firewall vlan−group 1 3,4,100−106
Secondary Chassis
cat6k−7(config)#do sh run | i fire
firewall multiple−vlan−interfaces
firewall module 9 vlan−group 1
firewall vlan−group 1 3,4,100−106
•