I'm looking at setting up a PIX Failover and having it plugged into the other interface on the same Router that the Primary PIX is plugged into. Since the router interfaces need to have different subnets my question is...Can this be done? Or does a switch need to be between the PIX's and the Router so they have the same subnet.
Router / \\ / \\ Primer Failover PIX PIX
Thanks in Advance!!!
I'm looking at setting up a PIX Failover and having it plugged into the other interface on the same Router that the Primary PIX is plugged into. Since the router interfaces need to have different subnets my question is...Can this be done? Or does a switch need to be between the PIX's and the Router so they have the same subnet.
Router / \\ / \\ Primer Failover PIX PIX
Thanks in Advance!!!
I am not familiar with the details myself, but if I recall correctly, Cisco's position is that using different subnets is not supported and is likely to lead to problems (e.g., upon failover suddenly the old MAC doesn't work anymore because the old MAC is on a different segment.)
You could use HSRP on the router to avoid different IP's but that doesn't solve the MAC issue on the PIX's (PIX 7 may allow you to set the MAC's - I can't remember). Then your issue is on the inside with the MAC's and IP's and even still can a setup like this maintain any "stateful" connections.
Is there some reason you can't use the actual failover setup for Cisco? A fail-over PIX is much less than the full PIX.
None
It's a failover PIX that I'm trying to install and I am using the failover setup from Cisco.
In which case, you need to have both PIX on the same subnet so they can reach each other without going through a router to exchange keepalives.
Ditto for every interface on both PIX.
If you are worried about loss of connectivity due to switch failure, then you should also be worried about router failure and build redundancy from end to end rather than just in the PIX. There is a white paper on my web site which shows one way it can be done, but be forewarned it can get ugly if you are not careful and NAT is involved.
Good luck and have fun!
You can add a switch or configure a bridge-group on the router so the requirement of multiple segments on router interfaces is not there anymore.
Erik
Ok - sorry I misread the post before - I have a switch (actually three ports in a VLAN on a switch) inbetween my fail-over set and the upstream router - you can still use HSRP on the router with a switch if you are concerned about one of the router ports going bad.
router | |
------------- (switch) | | |-FOC--| Prim. Sec. PIX PIX
FOC = fail-over cable
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.