Solved

PIX Failover and Redundancy switch replacemnet

Posted on 2006-11-11
5
624 Views
Last Modified: 2011-09-20
I have got this scenario :

Outside (internet)—switch 1—Primary PIX—Core1-----LAN

Outside (internet) –Switch 2—Secondary PIX—Core2-----LAN

Switch 1------Switch 2 (connected via Ethernet link trunk)

Primary PIX------Secondary PIX (connected through failover cable via serial interface)

core 1------core 2 (connected via ethernet link trunk)

VPN concentrator is connected between switch 1 (active) and core 1

We have got active outside switch 1 (2950) , active primary pix (525) , and active core 1 (4000),,,,,

And also we have got inactive outside switch 2 (2950) , inactive secondary pix (525), and inactive core 2 (4000).

Redundancy has been taken in consideration

1- If primary PIX fails, the standby PIX (secondary) will take over (obvious), now does core 1 (active) will be replaced by core 2, because secondary PIX takes over ?

2- In the similar way does switch 1 (active) will be replaced by switch 2, because secondary PIX takes over?

3- Does the same thing happen to PIX, if switch 1 fails or core 1 fails? (i.e. if switch 1, obviously switch 2 takes over , does that mean the primary PIX will be replaced by secondary one )

4- If VPN fails, Shouldn’t there have been redundancy? (i.e. Is this a drawback in design
0
Comment
Question by:zillah
  • 2
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
Comment Utility
1.  No, core2 will not replace core1 if the secondary PIX takes over but it's not a problem because core1 and core2 are connected.

2.  No, again, the switch and PIX failover are independant of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.

3.  Yes, if switch 1 fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.

4.  It depends on how much redundancy you want and money you have to throw at it.  You could put a second VPN concentrator off switch 2 and configure them for high availability.
0
 

Author Comment

by:zillah
Comment Utility
[cut]
No, again, the switch and PIX failover are independent of one another.  The switches will remain as is if the PIX's failover but again, not a problem since they are connected.
[/cut]
If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?


[cut]
Yes, if switch 1 (2950) fails, both the switch and PIX's will failover.  Switch2 will become active and the secondary PIX will become active due to the failed link to switch1.
[/cut]
Just for more clarification, does that mean also if core 1 (4000) fails , both the switch (2950) and PIX will failover as well ?
Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?


[cut]
You could put a second VPN concentrator off switch 2 and configure them for high availability.
[/cut]
One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?

Regards


Regards
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
>If secondary PIX takes over (when primary PIX fails), how the traffic will pass to core 1 ?

>The answer will be through core 2,,,Am I right ? yes i know that core 2 is connected to core 1, but core 2 is in standby mode,  does that mean the traffic will >pass to core1 through core 2 , even if core 2 is in standby mode (inactive) ?

When you say core2 is in standby mode I assume you mean they are running HSRP?  If running HSRP, traffic will pass through core2 to get to core1 to reach the active HSRP router.  Core2 will still pass traffic even though it is in HSRP standby mode.

>Which mechanism within switch (2950) or core (4000) configuration will force PIX to failover ?

The PIX failover monitors the physical interfaces of the Firewalls.  If an interface on the active PIX goes down because of the switch it is connected to fails, the PIX will failover to the standby PIX.

>One end of VPN off switch 2, and what about other end ? Is it off core 1 as well , or core 2 ?
I would put the other end off core2 for maximum availability.





0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just a quick comment. Switches don't work in "standby mode" as in primary/standby lilke the PIX's do. Spanning tree prevents loops and can put various ports in blocking or forwarding mode, but that's it.
You have several critical flaws in your plan for total redundancy.
You have to consider both layer2 redundancy (dual switches) and layer 3 redundancy (HSRP, dynamic routing protocols, etc) as well as the primary/standby failover capabilities of the PIX's.
Since you have 525's, upgrade to 7.21, set them up in active/active failover mode, enable OSPF between the two ISP routers and the PIX's (area 0) and between the PIX's and the 4500 switches inside (area1) and BGP between the two Internet routers.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2921 WIC card 2 43
Windows 2012 Essentials - change of router 24 73
Watchguard XTM 2 50
EIGRP  router failure 14 28
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now