Link to home
Start Free TrialLog in
Avatar of zillah
zillahFlag for Australia

asked on

PIX Failover and Redundancy switch replacemnet

I have got this scenario :

Outside (internet)—switch 1—Primary PIX—Core1-----LAN

Outside (internet) –Switch 2—Secondary PIX—Core2-----LAN

Switch 1------Switch 2 (connected via Ethernet link trunk)

Primary PIX------Secondary PIX (connected through failover cable via serial interface)

core 1------core 2 (connected via ethernet link trunk)

VPN concentrator is connected between switch 1 (active) and core 1

We have got active outside switch 1 (2950) , active primary pix (525) , and active core 1 (4000),,,,,

And also we have got inactive outside switch 2 (2950) , inactive secondary pix (525), and inactive core 2 (4000).

Redundancy has been taken in consideration

1- If primary PIX fails, the standby PIX (secondary) will take over (obvious), now does core 1 (active) will be replaced by core 2, because secondary PIX takes over ?

2- In the similar way does switch 1 (active) will be replaced by switch 2, because secondary PIX takes over?

3- Does the same thing happen to PIX, if switch 1 fails or core 1 fails? (i.e. if switch 1, obviously switch 2 takes over , does that mean the primary PIX will be replaced by secondary one )

4- If VPN fails, Shouldn’t there have been redundancy? (i.e. Is this a drawback in design
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zillah

ASKER

[cut]
No, again, the switch and PIX failover are independent of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.
[/cut]
If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?


[cut]
Yes, if switch 1 (2950) fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.
[/cut]
Just for more clarification, does that mean also if core 1 (4000) fails , both the switch (2950) and PIX will failover as well ?
Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?


[cut]
You could put a second VPN concentrator off switch 2 and configure them for high availability.
[/cut]
One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?

Regards


Regards
>If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

>The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will >pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?

When you say core2 is in standby mode I assume you mean they are running HSRP?  If running HSRP, traffic will pass through core2 to get to core1 to reach the active HSRP router.  Core2 will still pass traffic even though it is in HSRP standby mode.

>Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?

The PIX failover monitors the physical interfaces of the Firewalls.  If an interface on the active PIX goes down because of the switch it is connected to fails, the PIX will failover to the standby PIX.

>One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?
I would put the other end off core2 for maximum availability.





Avatar of Les Moore
Just a quick comment. Switches don't work in "standby mode" as in primary/standby lilke the PIX's do. Spanning tree prevents loops and can put various ports in blocking or forwarding mode, but that's it.
You have several critical flaws in your plan for total redundancy.
You have to consider both layer2 redundancy (dual switches) and layer 3 redundancy (HSRP, dynamic routing protocols, etc) as well as the primary/standby failover capabilities of the PIX's.
Since you have 525's, upgrade to 7.21, set them up in active/active failover mode, enable OSPF between the two ISP routers and the PIX's (area 0) and between the PIX's and the 4500 switches inside (area1) and BGP between the two Internet routers.