Skip to main content

Failover firewalls with redundant switches

More
18 years 11 months ago #11481 by killerasp
Hey guys. I am trying to configure an additional failover 515E along with adding an extra switch for redundancy.




I am trying to figure out the best way to do this but i am unsure how to go about configuring it on the pix to properly handle traffic if switch 1 or 2 were to fail.

Some people suggested attaching pix one to switch one and pix two to swtich two so if switch one fails, it would automatically failover to firewall two. but i dont think thats a good idea.
More
18 years 11 months ago #11507 by RedRanger
Ouch, maybe the reason for the failovers is because of all the redundancy. Redundant networks arn't for every scenario. It adds cost to your network, thus slowing it down and/or making your network fail. It should really only be used in big businesses.

RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
More
18 years 11 months ago #11949 by TheeGreatCornholio
killerasp,

Wow - that diagram is scary... a spanning-tree nightmare for sure. Ok, you had it right... PIX 1 connects to switch 1, PIX 2 connects to switch 2. That's the way to go. For stateful failover on the PIX's, you need to have a dedicated stateful cross-connect ethernet cable between them. Your two switches should be cross connected. As far as your servers are concerned - use whatever NIC failover features they have, if any. If they only have one NIC per server, then you're only going to connect it to one of the two switches.

PIX failover is pretty straight forward. All of the PIX work I've ever done has been with dual PIX's, so you can rest assured that I have some clue of what I am talking about.

The most important thing when setting up PIX failover is to make sure both PIX's are running the exact same code. If you want staeful failover (this is where the TCP connection table is replicated to the standby PIX), you need a dedicated PIX interface setup as stateful, and a cross-over cable between the PIX's on that interface. DO NOT CONNECT THE STATEFUL INTERFACE TO THE LAN SWITCH - you are asking for trouble.

Anyway, I dont want to go too far off on a tangent here... I believe I answered your immediate question. Post any other follow up questions you may have and I'll answer them as soon as I can.

tGc
Time to create page: 0.134 seconds