Installing Failover [Cisco PIX 500 Series Security Appliances]

Table Of Contents

Installing Failover

Installing the Failover Cable

Failover Cable Pinouts

Installing Failover

This chapter includes the following sections:

•Installing the Failover Cable

•Failover Cable Pinouts

This chapter only applies to PIX Firewall units with a "UR" (unrestricted) license.

Installing the Failover Cable

Use the following steps to set up a failover connection:

Caution Before starting the installation, make sure that the power is off on both the Primary and Secondary units. Do not turn the power on until the units are connected and the Primary unit has been completely configured. Power the Primary unit on first, then power on the Secondary unit.

Step 1 Follow the instructions in "Installing a PIX Firewall" to set up the PIX Firewall and network interface cables.

Step 2 Locate the failover cable (shown in Figure 3-1). This cable is shipped separately from the PIX Firewall unit. The cable is labeled Primary on one end and Secondary on the other.

Install the cable for the PIX 515 as shown in Figure 3-1 or as shown in Figure 3-2 for the PIX 520, PIX 525, and earlier models.

Figure 3-1 PIX 515 Failover Cable Connection

Figure 3-2 PIX 520, PIX 525, and Earlier Model Failover Cable Connection

Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have already configured.

Step 4 Connect the Secondary end of the failover cable to the Standby unit.

Step 5 Connect a power cord to the power connector on the rear panel of each unit, and the other end of each power cord to (preferably separate) power outlets.

Step 6 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for your system, between the dedicated interfaces on the PIX Firewall units:

•Cat 5 crossover cable directly connecting the Primary unit to the Secondary unit.

•100BaseTX half-duplex hub using straight Cat 5 cables.

•100BaseTX full-duplex on a dedicated switch or dedicated VLAN of a switch.

On the PIX 520 or the PIX 525, you can use Token Ring interfaces with Stateful Failover if the dedicated interface is 100BaseTX.

Figure 3-3 shows an example of a minimally configured PIX 515 with only the two interfaces on the motherboard used for network traffic.

Figure 3-3 Failover Connections

Step 7 Refer to Chapter 3, "Advanced Configurations," in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2 to configure the Primary unit.

Note All enabled interfaces must be connected between the Active and Standby units. Only configure the Active unit. On a PIX 515 and PIX 525, the Active unit is indicated by the ACT LED on the front of the unit. On a PIX 520, you can access the console and determine which unit is active with the show failover command.

Step 8 Use the power switch at the back of the units to power the Primary unit on and then power the Standby unit on.

Within a few seconds, the Active unit automatically downloads its configuration to the Standby unit.

If the Primary unit fails, the Secondary unit automatically becomes active.

Failover Cable Pinouts

Figure 3-4 shows the pinouts of a crossover cable, should you use this with the Stateful Failover dedicated interface.

Figure 3-4 Stateful Failover Dedicated Interface Crossover Cable Pinouts

Should you need to test the cable you received, the pinouts are shown in Figure 3-5.

Figure 3-5 Failover Serial Cable Pinouts


	Installing Failover
	Download this chapter Installing Failover Feedback Table Of Contents Installing Failover Installing the Failover Cable Failover Cable Pinouts Installing Failover This chapter includes the following sections: •Installing the Failover Cable •Failover Cable Pinouts This chapter only applies to PIX Firewall units with a "UR" (unrestricted) license. Installing the Failover Cable Use the following steps to set up a failover connection: Caution Before starting the installation, make sure that the power is off on both the Primary and Secondary units. Do not turn the power on until the units are connected and the Primary unit has been completely configured. Power the Primary unit on first, then power on the Secondary unit. Step 1 Follow the instructions in "Installing a PIX Firewall" to set up the PIX Firewall and network interface cables. Step 2 Locate the failover cable (shown in Figure 3-1). This cable is shipped separately from the PIX Firewall unit. The cable is labeled Primary on one end and Secondary on the other. Install the cable for the PIX 515 as shown in Figure 3-1 or as shown in Figure 3-2 for the PIX 520, PIX 525, and earlier models. Figure 3-1 PIX 515 Failover Cable Connection Figure 3-2 PIX 520, PIX 525, and Earlier Model Failover Cable Connection Step 3 Connect the Primary end of the failover cable to the first PIX Firewall unit, that is, the one you have already configured. Step 4 Connect the Secondary end of the failover cable to the Standby unit. Step 5 Connect a power cord to the power connector on the rear panel of each unit, and the other end of each power cord to (preferably separate) power outlets. Step 6 If you are using Stateful Failover, use one of the following types of connections, that is appropriate for your system, between the dedicated interfaces on the PIX Firewall units: •Cat 5 crossover cable directly connecting the Primary unit to the Secondary unit. •100BaseTX half-duplex hub using straight Cat 5 cables. •100BaseTX full-duplex on a dedicated switch or dedicated VLAN of a switch. On the PIX 520 or the PIX 525, you can use Token Ring interfaces with Stateful Failover if the dedicated interface is 100BaseTX. Figure 3-3 shows an example of a minimally configured PIX 515 with only the two interfaces on the motherboard used for network traffic. Figure 3-3 Failover Connections Step 7 Refer to Chapter 3, "Advanced Configurations," in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2 to configure the Primary unit. Note All enabled interfaces must be connected between the Active and Standby units. Only configure the Active unit. On a PIX 515 and PIX 525, the Active unit is indicated by the ACT LED on the front of the unit. On a PIX 520, you can access the console and determine which unit is active with the show failover command. Step 8 Use the power switch at the back of the units to power the Primary unit on and then power the Standby unit on. Within a few seconds, the Active unit automatically downloads its configuration to the Standby unit. If the Primary unit fails, the Secondary unit automatically becomes active. Failover Cable Pinouts Figure 3-4 shows the pinouts of a crossover cable, should you use this with the Stateful Failover dedicated interface. Figure 3-4 Stateful Failover Dedicated Interface Crossover Cable Pinouts Should you need to test the cable you received, the pinouts are shown in Figure 3-5. Figure 3-5 Failover Serial Cable Pinouts
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks