«

Does failover work if two PIX are connected via one or more routers
(say on internal interfaces in high availability configurations for
example) or is it mandatory to have layer 2 links between the two
firewalls?

Thank you

In article <. com>,
<> wrote:
oes failover work if two PIX are connected via one or more routers
say on internal interfaces in high availability configurations for
:example) or is it mandatory to have layer 2 links between the two
:firewalls?

I never went very far into failover, so the following might be
inaccurate.

My recollection is that if you are using the network failover instead
of the serial-cable failover, that it -must- be layer 2 links with
no routing.

It is possible that this changed in PIX 7.0; I don't have information
on that point.
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001

wrote:

>Does failover work if two PIX are connected via one or more routers
>(say on internal interfaces in high availability configurations for
>example) or is it mandatory to have layer 2 links between the two
>firewalls?
>
>Thank you

Even though you assign IP addresses to the fialovers (which might make
you think they could withstand layer 3 routing), i think the timeout
tolerances are VERY low (milliseconds definitely <1 second). I found
a dumb setup on a pix where one side of the pix backhauled through
media converters to a switch in a different building. So the heartbeat
had to hop through 2 media convertors ride fiber back to another
building (a football field away)go through a switch to ride fiber and
2 more media convertors back to the original building to get to the
fialover's twin interface. every 20 to 40 seconds we had an interface
failure, which recovered the next second(when it re-attempted). That
was layer 2, but the delays were enough to cause a problem.

DiGiTAL_ViNYL (no email)

I'm asking this question because I saw some uncommented network
diagrams where the two PIX seem to be in failover but each one has the
internal interface connected to a different router.

Kate,

How the PIX failower works: You have two different IP addresses on the
Active and Standby firewalls. But when failower event happens, PIX firewall
SWAP ip addresses, so Standby firewall takes IP addresses which wwere
previously assigned to the Active firewall, and another firewall takes
Standby IP addresses. And hosts which are using firewalls do not see a
difference. Theoretically "statefull failower" interface may be in the
different subnet, but there is no reason to put them that way since all
interfaces in the Active should have L2 link to the corresponding interfaces
on the Standby firewall.

Mike
www.ciscoheadsetadapter.com



<> wrote in message
news: ups.com...
> I'm asking this question because I saw some uncommented network
> diagrams where the two PIX seem to be in failover but each one has the
> internal interface connected to a different router.
>

wrote:

>I'm asking this question because I saw some uncommented network
>diagrams where the two PIX seem to be in failover but each one has the
>internal interface connected to a different router.

Yeah, actually engaging the brain when thinking about it more, the two
interfaces MUST be in the same VLAN.

The diagram may have shown them connecting to a hybrid router/switch.
Switches like the 4006 and 6500 are often both router and switch in a
single chassis. They on one physical box but the router resides on a
blade installed in it. On a normal router you could configure two
interfaces to bridge things. I'm not sure why they would go with that
more complex setup.

Our pixes are distributed across two separate 6509's. Each 6509 is a
router and a switch. However the same vlan is trunked across both
units, so the interfaces do end up on the same vlan. This setup
provides redundancy.


DiGiTAL_ViNYL (no email)

That's what I was thinking too, or maybe that particular diagram was
simply wrong. I've always been used to seeing couples of firewalls
connected through plain switches or L3 switches. Thank you.