- Posts: 1
- Thank you received: 0
Failover firewalls with redundant switches
19 years 1 month ago #11481
by killerasp
Failover firewalls with redundant switches was created by killerasp
Hey guys. I am trying to configure an additional failover 515E along with adding an extra switch for redundancy.
I am trying to figure out the best way to do this but i am unsure how to go about configuring it on the pix to properly handle traffic if switch 1 or 2 were to fail.
Some people suggested attaching pix one to switch one and pix two to swtich two so if switch one fails, it would automatically failover to firewall two. but i dont think thats a good idea.
I am trying to figure out the best way to do this but i am unsure how to go about configuring it on the pix to properly handle traffic if switch 1 or 2 were to fail.
Some people suggested attaching pix one to switch one and pix two to swtich two so if switch one fails, it would automatically failover to firewall two. but i dont think thats a good idea.
19 years 1 month ago #11507
by RedRanger
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
Replied by RedRanger on topic Re: Failover firewalls with redundant switches
Ouch, maybe the reason for the failovers is because of all the redundancy. Redundant networks arn't for every scenario. It adds cost to your network, thus slowing it down and/or making your network fail. It should really only be used in big businesses.
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
- TheeGreatCornholio
- Offline
- Junior Member
Less
More
- Posts: 24
- Thank you received: 0
19 years 1 week ago #11949
by TheeGreatCornholio
Replied by TheeGreatCornholio on topic Re: Failover firewalls with redundant switches
killerasp,
Wow - that diagram is scary... a spanning-tree nightmare for sure. Ok, you had it right... PIX 1 connects to switch 1, PIX 2 connects to switch 2. That's the way to go. For stateful failover on the PIX's, you need to have a dedicated stateful cross-connect ethernet cable between them. Your two switches should be cross connected. As far as your servers are concerned - use whatever NIC failover features they have, if any. If they only have one NIC per server, then you're only going to connect it to one of the two switches.
PIX failover is pretty straight forward. All of the PIX work I've ever done has been with dual PIX's, so you can rest assured that I have some clue of what I am talking about.
The most important thing when setting up PIX failover is to make sure both PIX's are running the exact same code. If you want staeful failover (this is where the TCP connection table is replicated to the standby PIX), you need a dedicated PIX interface setup as stateful, and a cross-over cable between the PIX's on that interface. DO NOT CONNECT THE STATEFUL INTERFACE TO THE LAN SWITCH - you are asking for trouble.
Anyway, I dont want to go too far off on a tangent here... I believe I answered your immediate question. Post any other follow up questions you may have and I'll answer them as soon as I can.
tGc
Wow - that diagram is scary... a spanning-tree nightmare for sure. Ok, you had it right... PIX 1 connects to switch 1, PIX 2 connects to switch 2. That's the way to go. For stateful failover on the PIX's, you need to have a dedicated stateful cross-connect ethernet cable between them. Your two switches should be cross connected. As far as your servers are concerned - use whatever NIC failover features they have, if any. If they only have one NIC per server, then you're only going to connect it to one of the two switches.
PIX failover is pretty straight forward. All of the PIX work I've ever done has been with dual PIX's, so you can rest assured that I have some clue of what I am talking about.
The most important thing when setting up PIX failover is to make sure both PIX's are running the exact same code. If you want staeful failover (this is where the TCP connection table is replicated to the standby PIX), you need a dedicated PIX interface setup as stateful, and a cross-over cable between the PIX's on that interface. DO NOT CONNECT THE STATEFUL INTERFACE TO THE LAN SWITCH - you are asking for trouble.
Anyway, I dont want to go too far off on a tangent here... I believe I answered your immediate question. Post any other follow up questions you may have and I'll answer them as soon as I can.
tGc
Time to create page: 0.126 seconds