Solved

PIX Failover and Redundancy switch replacemnet

Posted on 2006-11-11
5
630 Views
Last Modified: 2011-09-20
I have got this scenario :

Outside (internet)—switch 1—Primary PIX—Core1-----LAN

Outside (internet) –Switch 2—Secondary PIX—Core2-----LAN

Switch 1------Switch 2 (connected via Ethernet link trunk)

Primary PIX------Secondary PIX (connected through failover cable via serial interface)

core 1------core 2 (connected via ethernet link trunk)

VPN concentrator is connected between switch 1 (active) and core 1

We have got active outside switch 1 (2950) , active primary pix (525) , and active core 1 (4000),,,,,

And also we have got inactive outside switch 2 (2950) , inactive secondary pix (525), and inactive core 2 (4000).

Redundancy has been taken in consideration

1- If primary PIX fails, the standby PIX (secondary) will take over (obvious), now does core 1 (active) will be replaced by core 2, because secondary PIX takes over ?

2- In the similar way does switch 1 (active) will be replaced by switch 2, because secondary PIX takes over?

3- Does the same thing happen to PIX, if switch 1 fails or core 1 fails? (i.e. if switch 1, obviously switch 2 takes over , does that mean the primary PIX will be replaced by secondary one )

4- If VPN fails, Shouldn’t there have been redundancy? (i.e. Is this a drawback in design
0
Comment
Question by:zillah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
ID: 17922111
1.  No, core2 will not replace core1 if the secondary PIX takes over but it's not a problem because core1 and core2 are connected.

2.  No, again, the switch and PIX failover are independant of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.

3.  Yes, if switch 1 fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.

4.  It depends on how much redundancy you want and money you have to throw at it.  You could put a second VPN concentrator off switch 2 and configure them for high availability.
0
 

Author Comment

by:zillah
ID: 17924130
[cut]
No, again, the switch and PIX failover are independent of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.
[/cut]
If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?


[cut]
Yes, if switch 1 (2950) fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.
[/cut]
Just for more clarification, does that mean also if core 1 (4000) fails , both the switch (2950) and PIX will failover as well ?
Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?


[cut]
You could put a second VPN concentrator off switch 2 and configure them for high availability.
[/cut]
One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?

Regards


Regards
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17925220
>If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

>The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will >pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?

When you say core2 is in standby mode I assume you mean they are running HSRP?  If running HSRP, traffic will pass through core2 to get to core1 to reach the active HSRP router.  Core2 will still pass traffic even though it is in HSRP standby mode.

>Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?

The PIX failover monitors the physical interfaces of the Firewalls.  If an interface on the active PIX goes down because of the switch it is connected to fails, the PIX will failover to the standby PIX.

>One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?
I would put the other end off core2 for maximum availability.





0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17926441
Just a quick comment. Switches don't work in "standby mode" as in primary/standby lilke the PIX's do. Spanning tree prevents loops and can put various ports in blocking or forwarding mode, but that's it.
You have several critical flaws in your plan for total redundancy.
You have to consider both layer2 redundancy (dual switches) and layer 3 redundancy (HSRP, dynamic routing protocols, etc) as well as the primary/standby failover capabilities of the PIX's.
Since you have 525's, upgrade to 7.21, set them up in active/active failover mode, enable OSPF between the two ISP routers and the PIX's (area 0) and between the PIX's and the 4500 switches inside (area1) and BGP between the two Internet routers.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question