Ouch, maybe the reason for the failovers is because of all the redundancy. Redundant networks arn't for every scenario. It adds cost to your network, thus slowing it down and/or making your network fail. It should really only be used in big businesses.
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Re: Failover firewalls with redundant switches
12 years 11 months ago #11949
Wow - that diagram is scary... a spanning-tree nightmare for sure. Ok, you had it right... PIX 1 connects to switch 1, PIX 2 connects to switch 2. That's the way to go. For stateful failover on the PIX's, you need to have a dedicated stateful cross-connect ethernet cable between them. Your two switches should be cross connected. As far as your servers are concerned - use whatever NIC failover features they have, if any. If they only have one NIC per server, then you're only going to connect it to one of the two switches.
PIX failover is pretty straight forward. All of the PIX work I've ever done has been with dual PIX's, so you can rest assured that I have some clue of what I am talking about.
The most important thing when setting up PIX failover is to make sure both PIX's are running the exact same code. If you want staeful failover (this is where the TCP connection table is replicated to the standby PIX), you need a dedicated PIX interface setup as stateful, and a cross-over cable between the PIX's on that interface. DO NOT CONNECT THE STATEFUL INTERFACE TO THE LAN SWITCH - you are asking for trouble.
Anyway, I dont want to go too far off on a tangent here... I believe I answered your immediate question. Post any other follow up questions you may have and I'll answer them as soon as I can.