Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Failover firewalls with redundant switches

Failover firewalls with redundant switches 11 years 2 weeks ago #11481

  • killerasp
  • killerasp's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hey guys. I am trying to configure an additional failover 515E along with adding an extra switch for redundancy.




I am trying to figure out the best way to do this but i am unsure how to go about configuring it on the pix to properly handle traffic if switch 1 or 2 were to fail.

Some people suggested attaching pix one to switch one and pix two to swtich two so if switch one fails, it would automatically failover to firewall two. but i dont think thats a good idea.
The administrator has disabled public write access.

Re: Failover firewalls with redundant switches 11 years 2 weeks ago #11507

  • RedRanger
  • RedRanger's Avatar
  • Offline
  • Distinguished Member
  • Be Awesome
  • Posts: 136
  • Karma: 0
Ouch, maybe the reason for the failovers is because of all the redundancy. Redundant networks arn't for every scenario. It adds cost to your network, thus slowing it down and/or making your network fail. It should really only be used in big businesses.
RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
The administrator has disabled public write access.

Re: Failover firewalls with redundant switches 10 years 11 months ago #11949

killerasp,

Wow - that diagram is scary... a spanning-tree nightmare for sure. Ok, you had it right... PIX 1 connects to switch 1, PIX 2 connects to switch 2. That's the way to go. For stateful failover on the PIX's, you need to have a dedicated stateful cross-connect ethernet cable between them. Your two switches should be cross connected. As far as your servers are concerned - use whatever NIC failover features they have, if any. If they only have one NIC per server, then you're only going to connect it to one of the two switches.

PIX failover is pretty straight forward. All of the PIX work I've ever done has been with dual PIX's, so you can rest assured that I have some clue of what I am talking about.

The most important thing when setting up PIX failover is to make sure both PIX's are running the exact same code. If you want staeful failover (this is where the TCP connection table is replicated to the standby PIX), you need a dedicated PIX interface setup as stateful, and a cross-over cable between the PIX's on that interface. DO NOT CONNECT THE STATEFUL INTERFACE TO THE LAN SWITCH - you are asking for trouble.

Anyway, I dont want to go too far off on a tangent here... I believe I answered your immediate question. Post any other follow up questions you may have and I'll answer them as soon as I can.

tGc
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup