PIX v8.0 redundant-interface + 2600XM router

Answered Question
Oct 23rd, 2008
User Badges:

Hi all,


I plan to configure a PIX-515E running 8.0(3) with a Redundant outside interface (comprising of two physical Ethernet interfaces - active/standby), both connected to two ports on a 2611XM router. The PIX will be configured as such:


interface Redundant1

member-interface Ethernet0

member-interface Ethernet2

nameif outside

security-level 0

ip address xx.xx.xx.234 255.255.255.248



By doing this I wish to achieve interface controller (by distributing interfaces across multiple modules) and media redundancy.


I am struggling to comprehend how I should configure the interfaces on the 2611XM to work in this configuration.


The PIX will have a global IPv4 address assigned to the logical Redundant outside interface. The 2611XM presently has a single interface (Fa0/0) configured as follows (IPv4 address within the same globally assigned subnet as the PIX outside interface). The 2611XM has a Multilink PPP (multiple ADSL) connnection to the world.:


interface FastEthernet0/0

description "Link to PIX_outside"

ip address xx.xx.xx.233 255.255.255.248

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip virtual-reassembly max-reassemblies 64

ip route-cache flow

duplex full

speed 100


interface Multilink1

description "Face to world"

ip unnumbered FastEthernet0/0


Please can someone advise me as to how I should re-configure the 2611XM so that both physical interfaces (i.e. Fa0/0 and Fa1/0) are able to participate in a dual-link redundant configuration with the PIX.


Many thanks for your time and advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tomranson Fri, 10/24/2008 - 04:54
User Badges:

Hi Krisztian,


Thank you for your reply :-)


I had a feeling that bridging may be the way to achieve this, however I have not done this on a router before.


Given your advice, I believe that the following (straw-man) configuration on the router is what's required:


interface FastEthernet0/0

no ip address

no ip directed-broadcast

bridge-group 1

!

Interface FastEthernet1/0

no ip address

no ip directed-broadcast

bridge-group 1

!

interface BVI1

ip address xx.xx.xx.233 255.255.255.248

!

interface Multilink1

ip unnumbered BVI1

!

bridge 1 protocol ieee

bridge 1 route ip


I will try this over the weekend and reply/rate accordingly :-)

tomranson Sun, 11/09/2008 - 07:24
User Badges:

Hi Krisztian,


I can confirm that the following configuration is fully functional.


Router:

-------


bridge irb

!

interface Multilink1

ip unnumbered BVI1

ppp multilink

!

interface FastEthernet0/0

description Link to PIX515E-1 Ethernet4

no ip address

duplex auto

speed auto

bridge-group 1

!

interface FastEthernet0/1

description Link to PIX515E-1 Ethernet5

no ip address

duplex auto

speed auto

bridge-group 1

!

interface BVI1

ip address 172.20.1.1 255.255.255.252

!

bridge 1 protocol ieee

bridge 1 route ip



PIX:

----


interface Ethernet4

description Link to C1841 Fa0/0

no nameif

no security-level

no ip address

!

interface Ethernet5

description Link to C1841 Fa0/1

no nameif

no security-level

no ip address

!

interface Redundant1

description Redundant link to C1841

member-interface Ethernet4

member-interface Ethernet5

nameif outside_redundant

security-level 0

ip address 172.20.1.2 255.255.255.252



All associated interfaces on both devices are physically up and the configuration is tolerant of physical media/transceiver failures.


I can manually change the active interface on the PIX with the following command:


# redundant-interface Redundant1 active-member [ Ethernet 4 | Ethernet 5 ]


Many thanks for your help with this.


Tom


Actions

This Discussion