jaysonfranklin
asked on
Pix Failover issue
I have two pix firewalls... one primary, one secondary.... the failover was working as I had both pix's plugged into a switch that the rest of the lan was plugged into...
i now have the pix plugged into a 3560 using that port as the "routing" port. it's working just fine... but if the pix failed over, it would break the network because even though the secondary pix would assume the default gateway IP address of the primary, the secondary pix would still be plugged into a regular port, not the routing port on the 3560.
how do i regain my failover capability? Can the 3560 have more than one routing port? plz help. Thanks!
i now have the pix plugged into a 3560 using that port as the "routing" port. it's working just fine... but if the pix failed over, it would break the network because even though the secondary pix would assume the default gateway IP address of the primary, the secondary pix would still be plugged into a regular port, not the routing port on the 3560.
how do i regain my failover capability? Can the 3560 have more than one routing port? plz help. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, while people were out this weekend, i had a chance to play with this....
recap on current config, pix is plugged directly into the 3560 which is doing the routing. there is one port that is set up as the routing port with the 'no switchport' command. that interface has an IP address of 10.10. the default gateway of the switch is 10.1 which is the inside interface of the pix. the switch has a bunch of vlans starting at 101.1 thru lets say 110.1... the pix has a statement that says route 192.168.0.0 255.255.0.0 to the inside interface.
I can make the vlan for the 10.0 network which is pretty much the gateway network to get out to the internet or whatever....but when i try to apply that vlan to the routing interface, it says "Command Rejected; not a switching port"
To make this work, do i have to move the routing to the Pix? I really don't want to do that.... is there a way to keep the 3560 routing between the vlans and still get the Pix to failover?
recap on current config, pix is plugged directly into the 3560 which is doing the routing. there is one port that is set up as the routing port with the 'no switchport' command. that interface has an IP address of 10.10. the default gateway of the switch is 10.1 which is the inside interface of the pix. the switch has a bunch of vlans starting at 101.1 thru lets say 110.1... the pix has a statement that says route 192.168.0.0 255.255.0.0 to the inside interface.
I can make the vlan for the 10.0 network which is pretty much the gateway network to get out to the internet or whatever....but when i try to apply that vlan to the routing interface, it says "Command Rejected; not a switching port"
To make this work, do i have to move the routing to the Pix? I really don't want to do that.... is there a way to keep the 3560 routing between the vlans and still get the Pix to failover?
ASKER
Can I get another comment?
ASKER
No comment all day... should I post another question? i need to get this fixed..
ASKER
Then on the 3560 there are vlans int's are 100.1 101.1 102.1 etc.
Do i make a Vlan for the routing port ? and add the routing port to that vlan? then just add another port to the same vlan where the secondary pix is plugged in? and im assuming on that port i will have to specify 'no switchport' command? How will it not know to only route to the one if the other is down?