Does failover work if two PIX are connected via one or more routers (say on internal interfaces in high availability configurations for example) or is it mandatory to have layer 2 links between the two firewalls?
Thank you
In article , wrote: :Does failover work if two PIX are connected via one or more routers :(say on internal interfaces in high availability configurations for :example) or is it mandatory to have layer 2 links between the two :firewalls?
I never went very far into failover, so the following might be inaccurate.
My recollection is that if you are using the network failover instead of the serial-cable failover, that it -must- be layer 2 links with no routing.
It is possible that this changed in PIX 7.0; I don't have information on that point.
Even though you assign IP addresses to the fialovers (which might make you think they could withstand layer 3 routing), i think the timeout tolerances are VERY low (milliseconds definitely
I'm asking this question because I saw some uncommented network diagrams where the two PIX seem to be in failover but each one has the internal interface connected to a different router.
Kate,
How the PIX failower works: You have two different IP addresses on the Active and Standby firewalls. But when failower event happens, PIX firewall SWAP ip addresses, so Standby firewall takes IP addresses which wwere previously assigned to the Active firewall, and another firewall takes Standby IP addresses. And hosts which are using firewalls do not see a difference. Theoretically "statefull failower" interface may be in the different subnet, but there is no reason to put them that way since all interfaces in the Active should have L2 link to the corresponding interfaces on the Standby firewall.
Mike
Yeah, actually engaging the brain when thinking about it more, the two interfaces MUST be in the same VLAN.
The diagram may have shown them connecting to a hybrid router/switch. Switches like the 4006 and 6500 are often both router and switch in a single chassis. They on one physical box but the router resides on a blade installed in it. On a normal router you could configure two interfaces to bridge things. I'm not sure why they would go with that more complex setup.
Our pixes are distributed across two separate 6509's. Each 6509 is a router and a switch. However the same vlan is trunked across both units, so the interfaces do end up on the same vlan. This setup provides redundancy.
DiGiTAL_ViNYL (no email)
That's what I was thinking too, or maybe that particular diagram was simply wrong. I've always been used to seeing couples of firewalls connected through plain switches or L3 switches. Thank you.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.