[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

PIX Failover and Redundancy switch replacemnet

Posted on 2006-11-11
5
Medium Priority
?
635 Views
Last Modified: 2011-09-20
I have got this scenario :

Outside (internet)—switch 1—Primary PIX—Core1-----LAN

Outside (internet) –Switch 2—Secondary PIX—Core2-----LAN

Switch 1------Switch 2 (connected via Ethernet link trunk)

Primary PIX------Secondary PIX (connected through failover cable via serial interface)

core 1------core 2 (connected via ethernet link trunk)

VPN concentrator is connected between switch 1 (active) and core 1

We have got active outside switch 1 (2950) , active primary pix (525) , and active core 1 (4000),,,,,

And also we have got inactive outside switch 2 (2950) , inactive secondary pix (525), and inactive core 2 (4000).

Redundancy has been taken in consideration

1- If primary PIX fails, the standby PIX (secondary) will take over (obvious), now does core 1 (active) will be replaced by core 2, because secondary PIX takes over ?

2- In the similar way does switch 1 (active) will be replaced by switch 2, because secondary PIX takes over?

3- Does the same thing happen to PIX, if switch 1 fails or core 1 fails? (i.e. if switch 1, obviously switch 2 takes over , does that mean the primary PIX will be replaced by secondary one )

4- If VPN fails, Shouldn’t there have been redundancy? (i.e. Is this a drawback in design
0
Comment
Question by:zillah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1000 total points
ID: 17922111
1.  No, core2 will not replace core1 if the secondary PIX takes over but it's not a problem because core1 and core2 are connected.

2.  No, again, the switch and PIX failover are independant of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.

3.  Yes, if switch 1 fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.

4.  It depends on how much redundancy you want and money you have to throw at it.  You could put a second VPN concentrator off switch 2 and configure them for high availability.
0
 

Author Comment

by:zillah
ID: 17924130
[cut]
No, again, the switch and PIX failover are independent of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.
[/cut]
If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?


[cut]
Yes, if switch 1 (2950) fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.
[/cut]
Just for more clarification, does that mean also if core 1 (4000) fails , both the switch (2950) and PIX will failover as well ?
Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?


[cut]
You could put a second VPN concentrator off switch 2 and configure them for high availability.
[/cut]
One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?

Regards


Regards
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17925220
>If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

>The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will >pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?

When you say core2 is in standby mode I assume you mean they are running HSRP?  If running HSRP, traffic will pass through core2 to get to core1 to reach the active HSRP router.  Core2 will still pass traffic even though it is in HSRP standby mode.

>Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?

The PIX failover monitors the physical interfaces of the Firewalls.  If an interface on the active PIX goes down because of the switch it is connected to fails, the PIX will failover to the standby PIX.

>One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?
I would put the other end off core2 for maximum availability.





0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17926441
Just a quick comment. Switches don't work in "standby mode" as in primary/standby lilke the PIX's do. Spanning tree prevents loops and can put various ports in blocking or forwarding mode, but that's it.
You have several critical flaws in your plan for total redundancy.
You have to consider both layer2 redundancy (dual switches) and layer 3 redundancy (HSRP, dynamic routing protocols, etc) as well as the primary/standby failover capabilities of the PIX's.
Since you have 525's, upgrade to 7.21, set them up in active/active failover mode, enable OSPF between the two ISP routers and the PIX's (area 0) and between the PIX's and the 4500 switches inside (area1) and BGP between the two Internet routers.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question