- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Prerequisites for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Restrictions for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Information About Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Zone-Based Policy Firewall High Availability Overview
- Box-to-Box High Availability Operation
- Active/Active Failover
- Active/Standby Failover
- NAT Box-to-Box High-Availability LAN-LAN Topology
- WAN-LAN Topology
- Exclusive Virtual IP Addresses and Exclusive Virtual MAC Addresses
- FTP66 ALG Support Overview
- How to Configure Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Configuration Examples for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Example: Configuring a Redundancy Group Protocol
- Example: Configuring a Redundancy Application Group
- Example: Configuring a Control Interface and a Data Interface
- Example: Configuring a LAN Traffic Interface
- Example: Configuring a WAN Traffic Interface
- Example: Configuring an IPv6 Firewall
- Example: Configuring Zones and Applying Zones to Interfaces
- Additional References for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Feature Information for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
The Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls feature supports high availability (HA) based on redundancy groups (RGs) on IPv6 firewalls. This feature enables you to configure pairs of devices to act as backup for each other. This feature can be configured to determine the active device based on a number of failover conditions. This feature supports the FTP66 application-layer gateway (ALG) for IPv6 packet inspection.
This module provides information about Box-to-Box (B2B) HA support and describes how to configure this feature.
- Finding Feature Information
- Prerequisites for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Restrictions for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Information About Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- How to Configure Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Configuration Examples for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Additional References for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Feature Information for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
-
Interfaces attached to a firewall must have the same redundant interface identifier (RII).
-
Active and standby devices must have the same zone-based policy firewall configuration.
-
Active and standby devices must run on identical versions of Cisco software. The active and standby devices must be connected through a switch.
The box-to-box (B2B) configuration on both active and standby devices should be the same because there is no autosynchronization of the configuration between these devices.
-
For asymmetric routing traffic to pass, you must configure the pass action for the class-default class. Class-default class is a system-defined class map that represents all packets that do not match any of the user-defined classes in a policy.
-
If you configure a zone pair between two LAN interfaces, ensure that you configure the same redundancy group (RG) on both interfaces. The zone pair configuration is not supported if LAN interfaces belong to different RGs.
Restrictions for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
-
Only IPv4 is supported at box-to-box (B2B) interlink interfaces.
Multiprotocol Label Switching (MPLS) and virtual routing and forwarding (VRF) are not supported.
-
Cisco ASR 1006 and 1013 Aggregation Services Routers with dual Embedded Services Processors (ESPs) or dual Route Processors (RPs) in the chassis are not supported, because coexistence of interbox high availability (HA) and intrabox HA is not supported.
Cisco ASR 1006 and Cisco ASR 1013 Aggregation Services Routers with single ESP and single RP in the chassis support interchassis redundancy.
-
If the dual IOS daemon (IOSd) is configured, the device will not support the firewall stateful interchassis redundancy configuration.
-
Stateless Network Address Translation 64 (NAT64) with IPv6 firewalls is not supported.
Information About Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
Zone-Based Policy Firewall High Availability Overview
High availability enables network-wide protection by providing fast recovery from faults that may occur in any part of a network. High availability enables rapid recovery from disruptions to users and network applications.
The zone-based policy firewall supports active/active and active/standby high availability failover and asymmetric routing.
The active/active failover allows both devices involved in the failover to forward traffic simultaneously.
When active/standby high availability failover is configured, only one of the devices involved in the failover handles the traffic at one time, while the other device is in a standby mode, periodically synchronizing session information from the active device.
Asymmetric routing supports the forwarding of packets from a standby redundancy group to an active redundancy group for packet handling. If this feature is not enabled, the return TCP packets forwarded to the device that did not receive the initial synchronization (SYN) message are dropped because they do not belong to any known existing session.
Box-to-Box High Availability Operation
You can configure pairs of devices to act as hot standbys for each other. Redundancy is configured per interface. Pairs of redundant interfaces are known as redundancy groups (RGs). Figure 1 depicts an active/active failover scenario. It shows how two redundancy groups are configured for a pair of devices that have two outgoing interfaces.
The redundant devices are joined by a configurable control link, a data synchronization link, and an interlink interface. The control link is used to communicate the status of the devices. The data synchronization link is used to transfer stateful information from the firewall and to synchronize the stateful database. The pairs of redundant interfaces are configured with the same unique ID number, known as the redundant interface identifier (RII). The routing table is not synced from active to standby.
Asymmetric routing is supported as part of the firewall HA. In a LAN-WAN scenario, where the return traffic enters standby devices, asymmetric routing is supported. To implement the asymmetric routing functionality, configure both the redundant devices with a dedicated interface (interlink interface) for asymmetric traffic. This dedicated interface will redirect the traffic coming to the standby WAN interface to the active device.
The hello time defaults to three seconds to align with the Hot Standby Router Protocol (HSRP), and the hold time defaults to 10 seconds. You can also configure these timers in milliseconds by using the timers hellotime msec command.
To determine which pairs of interfaces are affected by the switchover, you must configure a unique ID for each pair of redundant interfaces. This ID is the RII that is associated with the interface.
Reasons for Switchover
Another factor that can cause a switchover is the priority setting that can be configured on each device. The device with the highest priority value will be the active device. If a fault occurs on either the active or the standby device, the priority of the device is decremented by a configurable amount, known as the weight. If the priority of the active device falls below the priority of the standby device, a switchover occurs and the standby device becomes the active device. You can override this default behavior by disabling the preemption attribute for the redundancy group. You can also configure each interface to decrease the priority when the Layer 1 state of the interface goes down. The priority that is configured overrides the default priority of the redundancy group.
Each failure event that causes a modification of a redundancy group’s priority generates a syslog entry that contains a time stamp, the redundancy group that was affected, the previous priority, the new priority, and a description of the failure event cause.
Another situation that can cause a switchover to occur is when the priority of a device or interface falls below the configurable threshold level.
Power loss or a reload occurs on the active device (this includes crashes).
The run-time priority of the active device goes below that of the standby device.
The run-time priority of the active device goes below the configured threshold level.
The redundancy group on the active device is reloaded manually by using the redundancy application reload group rg-number command.
Two consecutive hello messages missed on any monitored interface forces the interface into testing mode. Both devices will verify the link status on the interface and then execute the following tests:
Active/Active Failover
In an active/active failover configuration, both devices can process network traffic. Active/active failover generates virtual MAC (VMAC) addresses for interfaces in each redundancy group (RG).
The device that provides the running configuration to the failover pair when they start simultaneously.
The device on which the failover RG appears in the active state when devices start simultaneously. Each failover RG in the configuration is configured with a primary or secondary device preference. You can configure both failover RGs to be in the active state on a single device and the standby failover RGs to be on the other device. You can also configure one failover RG to be in the active state and the other RG to be in the standby state on a single device.
Active/Standby Failover
Active/standby failover enables you to use a standby device to take over the functionality of a failed device. A failed active device changes to the standby state, and the standby device changes to the active state. The device that is now in the active state takes over IP addresses and MAC addresses of the failed device and starts processing traffic. The device that is now in the standby state takes over standby IP addresses and MAC addresses. Because network devices do not see any change in the MAC-to-IP address pairing, Address Resolution Protocol (ARP) entries do not change or time out anywhere on the network.
In an active/standby scenario, the main difference between two devices in a failover pair depends on which device is active and which device is a standby, namely which IP addresses to use and which device actively passes the traffic. The active device always becomes the active device if both devices start up at the same time (and are of equal operational health). MAC addresses of the active device are always paired with active IP addresses.
NAT Box-to-Box High-Availability LAN-LAN Topology
In a LAN-LAN topology, all participating devices are connected to each other through LAN interfaces on both the inside and the outside. The figure below shows the NAT box-to-box LAN-LAN topology. Network Address Translation (NAT) is in the active-standby mode and the peers are in one redundancy group (RG). All traffic or a subset of this traffic undergoes NAT translation.
 Note | Failover is caused by only those failures that the RG infrastructure listens to. |
WAN-LAN Topology
In a WAN-LAN topology, two devices are connected through LAN interfaces on the inside and WAN interfaces on the outside. There is no control on the routing of return traffic received through WAN links.
WAN links can be provided by the same service provider or different service providers. In most cases, WAN links are provided by different service providers. To utilize WAN links to the maximum, configure an external device to provide a failover.
On LAN-based interfaces, a high availability virtual IP address is required to exchange client information and for faster failover. On WAN-based interfaces, the redundancy group id ip virtual-ip decrement value command is used for failover.
Exclusive Virtual IP Addresses and Exclusive Virtual MAC Addresses
Virtual IP (VIP) addresses and virtual MAC (VMAC) addresses are used by security applications to control interfaces that receive traffic. An interface is paired with another interface, and these interfaces are associated with the same redundancy group (RG). The interface that is associated with an active RG exclusively owns the VIP and VMAC. The Address Resolution Protocol (ARP) process on the active device sends ARP replies for any ARP request for the VIP, and the Ethernet controller for the interface is programmed to receive packets destined for the VMAC. When an RG failover occurs, the ownership of the VIP and VMAC changes. The interface that is associated with the newly active RG sends a gratuitous ARP and programs the interface’s Ethernet controller to accept packets destined for the VMAC.
IPv6 Support
You can assign each redundancy group (RG) on a traffic interface for both IPv4 and IPv6 virtual IP (VIP) addresses under the same redundancy interface identifier (RII). Each RG uses a unique virtual MAC (VMAC) address per RII. For an RG, the IPv6 link-local VIP and global VIP coexist on an interface.
You can configure an IPv4 VIP, a link-local IPv6 VIP, and/or a global IPv6 VIP for each RG on a traffic interface. IPv6 link-local VIP is mainly used when configuring static or default routes, whereas IPv6 global VIP is widely used in both LAN and WAN topologies.
You must configure a physical IP address before configuring an IPv4 VIP.
FTP66 ALG Support Overview
Firewalls support the inspection of IPv6 packets and stateful Network Address Translation 64 (NAT64). For FTP to work over IPv6 packet inspection, the application-layer gateway (ALG) (also called the application-level gateway [ALG]), FTP66, is required. The FTP66 ALG is also called all-in-one FTP ALG and one FTP ALG.
-
Packet segmentation attack—The FTP ALG state machine can detect segmented packets, and the state machine processing is stopped until a complete packet is received.
-
Bounce attack—The FTP ALG does not create doors (for NAT) or pinholes (for firewalls) with a data port number less than 1024. The prevention of a bounce attack is activated only when the firewall is enabled.
How to Configure Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
Configuring a Redundancy Group Protocol
1.
enable
2.
configure
terminal
3.
redundancy
4.
application
redundancy
5.
protocol
id
6.
name
group-name
7.
timers
hellotime
{seconds
|
msec
milliseconds}
holdtime
{seconds
|
msec
milliseconds}
8.
authentication
{text
string |
md5
key-string [0 |
7]
key-string
timeout
seconds |
key-chain
key-chain-name}
9.
end
DETAILED STEPS
Configuring a Redundancy Application Group
1.
enable
2.
configure
terminal
3.
redundancy
4.
application
redundancy
5.
group
id
6.
name group-name
7.
shutdown
8.
priority value [failover threshold value]
9.
preempt
10.
track
object-number
{decrement value |
shutdown}
11.
end
DETAILED STEPS
Configuring a Control Interface and a Data Interface
1.
enable
2.
configure
terminal
3.
redundancy
4.
application
redundancy
5.
group
id
6.
data
interface-type
interface-number
7.
control
interface-type
interface-number
protocol
id
8.
timers
delay
seconds
[reload
seconds]
9.
end
DETAILED STEPS
Configuring a LAN Traffic Interface
1.
enable
2.
configure terminal
3.
interface type number
4.
description
string
5.
encapsulation dot1q
vlan-id
6.
ip vrf forwarding
name
7.
ipv6 address
{ipv6-prefix/prefix-length |
prefix-name
sub-bits/prefix-length}
8.
zone-member security
zone-name
9.
redundancy rii
RII-identifier
10.
redundancy group
id
{ip
virtual-ip
|
ipv6 {link-local-address
|
ipv6-address/prefix-length} |
autoconfig} [exclusive] [decrement
value]
11.
end
DETAILED STEPS
Configuring a WAN Traffic Interface
1.
enable
2.
configure terminal
3.
interface type number
4.
description string
5.
ipv6 address
{ipv6-prefix/prefix-length |
prefix-name
sub-bits/prefix-length}
6.
zone-member security
zone-name
7.
ip tcp adjust-mss
max-segment-size
8.
redundancy rii
RII-identifier
9.
redundancy asymmetric-routing enable
10.
end
DETAILED STEPS
Configuring an IPv6 Firewall
The steps to configure an IPv4 firewall and an IPv6 firewall are the same. To configure an IPv6 firewall, you must configure the class map in such a way that only an IPv6 address family is matched.
The match protocol command applies to both IPv4 and IPv6 traffic and can be included in either an IPv4 policy or an IPv6 policy.
1.
enable
2.
configure terminal
3.
vrf-definition
vrf-name
4.
address-family ipv6
5.
exit-address-family
6.
exit
7.
parameter-map type inspect
parameter-map-name
8.
sessions maximum
sessions
9.
exit
10.
ipv6 unicast-routing
11.
ip port-map
appl-name port
port-num
list
list-name
12.
ipv6 access-list
access-list-name
13.
permit ipv6 any any
14.
exit
15.
class-map type inspect match-all
class-map-name
16.
match access-group name
access-group-name
17.
match protocol
protocol-name
18.
exit
19.
policy-map type inspect
policy-map-name
20.
class type inspect
class-map-name
21.
inspect
[parameter-map-name]
22.
end
DETAILED STEPS
Configuring Zones and Applying Zones to Interfaces
1.
enable
2.
configure terminal
3.
zone security
zone-name
4.
exit
5.
zone security
zone-name
6.
exit
7.
zone-pair security
zone-pair-name
[source
source-zone
destination
destination-zone]
8.
service-policy type inspect
policy-map-name
9.
exit
10.
interface
type number
11.
ipv6 address
ipv6-address/prefix-length
12.
encapsulation dot1q
vlan-id
13.
zone-member security
zone-name
14.
end
15.
show policy-map type inspect zone-pair sessions
DETAILED STEPS
Example
The following sample output from the show policy-map type inspect zone-pair sessions command displays the translation of packets from an IPv6 address to an IPv4 address and vice versa:
Device# show policy-map type inspect zone-pair sessions
Zone-pair: in-to-out
Service-policy inspect : in-to-out
Class-map: ipv6-class (match-any)
Match: protocol ftp
Match: protocol tcp
Match: protocol udp
Inspect
Established Sessions
Session 110D930C [2001:DB8:1::103]:32847=>(209.165.201.2:21) ftp SIS_OPEN
Created 00:00:00, Last heard 00:00:00
Bytes sent (initiator:responder) [37:84]
Half-open Sessions
Session 110D930C [2001:DB8:1::104]:32848=>(209.165.201.2:21) ftp SIS_OPENING
Created 00:00:00, Last heard 00:00:00
Bytes sent (initiator:responder) [0:0]
The following sample output from the show policy-map type inspect zone-pair sessions command displays the translation of packets from an IPv6 address to an IPv6 address:
Device# show policy-map type inspect zone-pair sessions
Zone-pair: in-to-out
Service-policy inspect : in-to-out
Class-map: ipv6-class (match-any)
Match: protocol ftp
Match: protocol tcp
Match: protocol udp
Inspect
Established Sessions
Session 110D930C [2001:DB8:1::103]:63=>[2001:DB8:2::102]:63 udp SIS_OPEN
Created 00:00:02, Last heard 00:00:01
Bytes sent (initiator:responder) [162:0]
Configuration Examples for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
Example: Configuring a Redundancy Group Protocol
The following example shows how to configure a redundancy group with timers set for hello time and hold time messages:
Device# configure terminal Device(config)# redundancy Device(config-red)# application redundancy Device(config-red-app)# protocol 1 Device(config-red-app-prtcl)# timers hellotime 3 holdtime 9 Device(config-red-app-prtcl)# authentication md5 key-string 0 n1 timeout 100 Device(config-red-app-prtcl)# bfd Device(config-red-app-prtcl)# end
Example: Configuring a Redundancy Application Group
The following example shows how to configure a redundancy group named group1 with priority and preempt attributes:
Device# configure terminal Device(config)# redundancy Device(config-red)# application redundancy Device(config-red-app)# group 1 Device(config-red-app-grp)# name group1 Device(config-red-app-grp)# priority 100 failover-threshold 50 Device(config-red-app-grp)# preempt Device(config-red-app-grp)# track 200 decrement 200 Device(config-red-app-grp)# end
Example: Configuring a Control Interface and a Data Interface
Device# configure terminal Device(config-red)# application redundancy Device(config-red-app-grp)# group 1 Device(config-red-app-grp)# data GigabitEthernet 0/0/0 Device(config-red-app-grp)# control GigabitEthernet 0/0/2 protocol 1 Device(config-red-app-grp)# timers delay 100 reload 400 Device(config-red-app-grp)# end
Example: Configuring a LAN Traffic Interface
Device# configure terminal Device(config-if)# interface gigabitethernet 2/0/2 Device(config-if)# description lan interface Device(config-if)# encapsulation dot1q 18 Device(config-if)# ip vrf forwarding trust Device(config-if)# ipv6 address 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE/64 Device(config-if)# zone member security z1 Device(config-if)# redundancy rii 100 Device(config-if)# redundancy group 1 ipv6 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE exclusive decrement 50 Device(config-if)# end
Example: Configuring a WAN Traffic Interface
The following example shows how to configure redundancy groups for a WAN-LAN scenario:
Device# configure terminal Device(config-if)# interface gigabitethernet 2/1/0 Device(config-if)# description wan interface Device(config-if)# ipv6 address 2001:DB8:2222::/48 Device(config-if)# zone-member security z2 Device(config-if)# ip tcp adjust-mss 1360 Device(config-if)# redundancy rii 360 Device(config-if)# redundancy asymmetric-routing enable Device(config-if)# end
Example: Configuring an IPv6 Firewall
Device# configure terminal Device(config)# vrf-definition VRF1 Device(config-vrf)# address-family ipv6 Device(config-vrf-af)# exit-address-family Device(config-vrf)# exit Device(config)# parameter-map type inspect ipv6-param-map Device(config-profile)# sessions maximum 10000 Device(config-profile)# exit Device(config)# ipv6 unicast-routing Device(config)# ip port-map ftp port 8090 list ipv6-acl Device(config)# ipv6 access-list ipv6-acl Device(config-ipv6-acl)# permit ipv6 any any Device(config-ipv6-acl)# exit Device(config)# class-map type inspect match-all ipv6-class Device(config-cmap)# match access-group name ipv6-acl Device(config-cmap)# match protocol tcp Device(config-cmap)# exit Device(config)# policy-map type inspect ipv6-policy Device(config-pmap)# class type inspect ipv6-class Device(config-pmap-c)# inspect ipv6-param-map Device(config-pmap-c)# end
Example: Configuring Zones and Applying Zones to Interfaces
Device# configure terminal Device(config)# zone security z1 Device(config-sec-zone)# exit Device(config)# zone security z2 Device(config-sec-zone)# exit Device(config)# zone-pair security in-to-out source z1 destination z2 Device(config-sec-zone-pair)# service-policy type inspect ipv6-policy Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/0/0.1 Device(config-if)# ipv6 address 2001:DB8:2222:7272::72/64 Device(config-if)# encapsulation dot1q 2 Device(config-if)# zone member security z1 Device(config-if)# end
Additional References for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
Related Documents
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Firewall commands |
|
Technical Assistance
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls |
Cisco IOS XE Release 3.8S |
The Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls feature supports high availability (HA) based on redundancy groups (RGs) on IPv6 firewalls. This feature enables you to configure pairs of devices to act as backup for each other. This feature can be configured to determine the active device based on a number of failover conditions. No commands were introduced or modified. |
Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls |
Cisco IOS XE Release 3.8S |
In Cisco IOS XE Release 3.10S, support was added for the Cisco ISR 4400 Series Routers. |
Feedback