Solved

PIX Failover and Redundancy switch replacemnet

Posted on 2006-11-11
5
628 Views
Last Modified: 2011-09-20
I have got this scenario :

Outside (internet)—switch 1—Primary PIX—Core1-----LAN

Outside (internet) –Switch 2—Secondary PIX—Core2-----LAN

Switch 1------Switch 2 (connected via Ethernet link trunk)

Primary PIX------Secondary PIX (connected through failover cable via serial interface)

core 1------core 2 (connected via ethernet link trunk)

VPN concentrator is connected between switch 1 (active) and core 1

We have got active outside switch 1 (2950) , active primary pix (525) , and active core 1 (4000),,,,,

And also we have got inactive outside switch 2 (2950) , inactive secondary pix (525), and inactive core 2 (4000).

Redundancy has been taken in consideration

1- If primary PIX fails, the standby PIX (secondary) will take over (obvious), now does core 1 (active) will be replaced by core 2, because secondary PIX takes over ?

2- In the similar way does switch 1 (active) will be replaced by switch 2, because secondary PIX takes over?

3- Does the same thing happen to PIX, if switch 1 fails or core 1 fails? (i.e. if switch 1, obviously switch 2 takes over , does that mean the primary PIX will be replaced by secondary one )

4- If VPN fails, Shouldn’t there have been redundancy? (i.e. Is this a drawback in design
0
Comment
Question by:zillah
  • 2
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
ID: 17922111
1.  No, core2 will not replace core1 if the secondary PIX takes over but it's not a problem because core1 and core2 are connected.

2.  No, again, the switch and PIX failover are independant of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.

3.  Yes, if switch 1 fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.

4.  It depends on how much redundancy you want and money you have to throw at it.  You could put a second VPN concentrator off switch 2 and configure them for high availability.
0
 

Author Comment

by:zillah
ID: 17924130
[cut]
No, again, the switch and PIX failover are independent of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.
[/cut]
If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?


[cut]
Yes, if switch 1 (2950) fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.
[/cut]
Just for more clarification, does that mean also if core 1 (4000) fails , both the switch (2950) and PIX will failover as well ?
Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?


[cut]
You could put a second VPN concentrator off switch 2 and configure them for high availability.
[/cut]
One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?

Regards


Regards
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17925220
>If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

>The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will >pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?

When you say core2 is in standby mode I assume you mean they are running HSRP?  If running HSRP, traffic will pass through core2 to get to core1 to reach the active HSRP router.  Core2 will still pass traffic even though it is in HSRP standby mode.

>Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?

The PIX failover monitors the physical interfaces of the Firewalls.  If an interface on the active PIX goes down because of the switch it is connected to fails, the PIX will failover to the standby PIX.

>One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?
I would put the other end off core2 for maximum availability.





0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17926441
Just a quick comment. Switches don't work in "standby mode" as in primary/standby lilke the PIX's do. Spanning tree prevents loops and can put various ports in blocking or forwarding mode, but that's it.
You have several critical flaws in your plan for total redundancy.
You have to consider both layer2 redundancy (dual switches) and layer 3 redundancy (HSRP, dynamic routing protocols, etc) as well as the primary/standby failover capabilities of the PIX's.
Since you have 525's, upgrade to 7.21, set them up in active/active failover mode, enable OSPF between the two ISP routers and the PIX's (area 0) and between the PIX's and the 4500 switches inside (area1) and BGP between the two Internet routers.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question