Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
4
Replies

PIX535 to 4507-R/6506 Connections (Trunking versus Switching)

Go to solution
travis_bonfigli
Level 4
Level 4

‎11-21-2009 06:46 AM - last edited on ‎03-25-2019 05:43 PM by Community Manager

Hello All!

I have done some searching in the forums regarding my question, but I can't find anything conclusive here or in the documentation.  Here are the particulars with my setup:

1. Each PIX535 firewall pair running 8.0(3) with 8 interfaces (2FE and 6GE)

2. All connections into the PIX535s are from either 6506 or 4507-R switches and there are two (2) connections from each of those switches (one connection to the primary PIX and one connection to the failover PIX)

3. The switch IOS versions are all 12.2 or higher

The quick background is that we just took over this PIX535 firewall pair and the previous engineer left things in a less than desireable state from both a configuration and documentation perspective...it is a mess.  In our attempt to sort things out and perform a failover test for our client (which they are demanding after seeing some of the other "goodies" the previous engineer left behind) we ran across a few things we want to understand better.

So, in reading through the PIX documentation I ran across the following document ( http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/failover.pdf  ) that has the following statement down in the Failover Notes section on page 10-21 where it says to turn off trunking on all ports that are connected to the PIX.  I know that the document is for 6.2, but I have seen/read this in other locations as well (don't have the links handy) and I have the following quesitons regarding the settings for the ports that are connected to the PIX firewalls from the switches (and I have this question because we have three (3) of our switches with their ports set as TRUNK and the other three (3) have their ports set up as simple SWITCHPORTS):

1. Is the statement to turn off trunking a "recommendation" or will failover simply not work on ports where the switch port is set to trunking? (We are not confident about testing failover and causing an outage until we can firm up the answer to this question and a failover was never attempted after these were installed in the environment 3 years ago!)

2. It is clear that the ports that are set to trunking work (we are up and running with no problems on our primary PIX) and pass the traffic, but we are also curious if there is a specific reason to set the ports to trunk versus setting them to switchports - the only reason we can think of is that the trunk setting allows us to have traffic from other VLANs make its way across the link to the PIXes, but we don't see any other reason/benefit?

3. Are there any performance related concerns/gotchas that we need to be concerned about with the ports being set to trunk versus switch ports?

Okay, thank you in advance for any/all assistance and as always your help is VERY appreciated!!

Cheers,

Travis

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-21-2009 07:10 AM 

travis_bonfigli wrote:
Hello All!
I have done some searching in the forums regarding my question, but I can't find anything conclusive here or in the documentation.  Here are the particulars with my setup:
 1. Each PIX535 firewall pair running 8.0(3) with 8 interfaces (2FE and 6GE)
 2. All connections into the PIX535s are from either 6506 or 4507-R switches and there are two (2) connections from each of those switches (one connection to the primary PIX and one connection to the failover PIX)
 3. The switch IOS versions are all 12.2 or higher
The quick background is that we just took over this PIX535 firewall pair and the previous engineer left things in a less than desireable state from both a configuration and documentation perspective...it is a mess.  In our attempt to sort things out and perform a failover test for our client (which they are demanding after seeing some of the other "goodies" the previous engineer left behind) we ran across a few things we want to understand better.
So, in reading through the PIX documentation I ran across the following document ( http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/failover.pdf  ) that has the following statement down in the Failover Notes section on page 10-21 where it says to turn off trunking on all ports that are connected to the PIX.  I know that the document is for 6.2, but I have seen/read this in other locations as well (don't have the links handy) and I have the following quesitons regarding the settings for the ports that are connected to the PIX firewalls from the switches (and I have this question because we have three (3) of our switches with their ports set as TRUNK and the other three (3) have their ports set up as simple SWITCHPORTS):
 1. Is the statement to turn off trunking a "recommendation" or will failover simply not work on ports where the switch port is set to trunking? (We are not confident about testing failover and causing an outage until we can firm up the answer to this question and a failover was never attempted after these were installed in the environment 3 years ago!)
 2. It is clear that the ports that are set to trunking work (we are up and running with no problems on our primary PIX) and pass the traffic, but we are also curious if there is a specific reason to set the ports to trunk versus setting them to switchports - the only reason we can think of is that the trunk setting allows us to have traffic from other VLANs make its way across the link to the PIXes, but we don't see any other reason/benefit?
 3. Are there any performance related concerns/gotchas that we need to be concerned about with the ports being set to trunk versus switch ports?
Okay, thank you in advance for any/all assistance and as always your help is VERY appreciated!!
Cheers,
Travis

Travis

1) Never come across that before about having to turn off trunking. If you click on the link below and have a read of the section it says vlans are supported in failover just not on the actual  failover lan interface so perhaps that is what it is referring to.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1116060

What i can tell you is that we ran active/standby pix 525s with v6.3 in our data centres and they were using logical vlan interfaces for some of the dmzs and it worked fine for us.

2) You obviously only need a trunk link when you are using logical vlan interfaces ie. you are running 802.1q between the pix and switch. And the only reason i know for doing this is if you physically run out of interfaces and you need additional dmzs. If you have enough physical interfaces then i can't see the need for trunk connections to the pix.

3) Only performance issues are that if you have multiple vlans going down a single link then obviously each vlan will not get the full bandwidth of the link. Not an issue unless each vlan actually needs to utilise most of the link.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-21-2009 07:10 AM 

travis_bonfigli wrote:
Hello All!
I have done some searching in the forums regarding my question, but I can't find anything conclusive here or in the documentation.  Here are the particulars with my setup:
 1. Each PIX535 firewall pair running 8.0(3) with 8 interfaces (2FE and 6GE)
 2. All connections into the PIX535s are from either 6506 or 4507-R switches and there are two (2) connections from each of those switches (one connection to the primary PIX and one connection to the failover PIX)
 3. The switch IOS versions are all 12.2 or higher
The quick background is that we just took over this PIX535 firewall pair and the previous engineer left things in a less than desireable state from both a configuration and documentation perspective...it is a mess.  In our attempt to sort things out and perform a failover test for our client (which they are demanding after seeing some of the other "goodies" the previous engineer left behind) we ran across a few things we want to understand better.
So, in reading through the PIX documentation I ran across the following document ( http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/failover.pdf  ) that has the following statement down in the Failover Notes section on page 10-21 where it says to turn off trunking on all ports that are connected to the PIX.  I know that the document is for 6.2, but I have seen/read this in other locations as well (don't have the links handy) and I have the following quesitons regarding the settings for the ports that are connected to the PIX firewalls from the switches (and I have this question because we have three (3) of our switches with their ports set as TRUNK and the other three (3) have their ports set up as simple SWITCHPORTS):
 1. Is the statement to turn off trunking a "recommendation" or will failover simply not work on ports where the switch port is set to trunking? (We are not confident about testing failover and causing an outage until we can firm up the answer to this question and a failover was never attempted after these were installed in the environment 3 years ago!)
 2. It is clear that the ports that are set to trunking work (we are up and running with no problems on our primary PIX) and pass the traffic, but we are also curious if there is a specific reason to set the ports to trunk versus setting them to switchports - the only reason we can think of is that the trunk setting allows us to have traffic from other VLANs make its way across the link to the PIXes, but we don't see any other reason/benefit?
 3. Are there any performance related concerns/gotchas that we need to be concerned about with the ports being set to trunk versus switch ports?
Okay, thank you in advance for any/all assistance and as always your help is VERY appreciated!!
Cheers,
Travis

Travis

1) Never come across that before about having to turn off trunking. If you click on the link below and have a read of the section it says vlans are supported in failover just not on the actual  failover lan interface so perhaps that is what it is referring to.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1116060

What i can tell you is that we ran active/standby pix 525s with v6.3 in our data centres and they were using logical vlan interfaces for some of the dmzs and it worked fine for us.

2) You obviously only need a trunk link when you are using logical vlan interfaces ie. you are running 802.1q between the pix and switch. And the only reason i know for doing this is if you physically run out of interfaces and you need additional dmzs. If you have enough physical interfaces then i can't see the need for trunk connections to the pix.

3) Only performance issues are that if you have multiple vlans going down a single link then obviously each vlan will not get the full bandwidth of the link. Not an issue unless each vlan actually needs to utilise most of the link.

Jon

0 Helpful

Go to solution
travis_bonfigli
Level 4
Level 4
In response to Jon Marshall

‎11-21-2009 08:02 AM

John:

Excellent response and thank you!  Yes, after looking over the document you reference in your link and then going back and looking over the document in the link I provided I didn't realize that it was under the "LAN Failover" section (I have read about 300 pages of documentation in two night trying to get things sorted out so I will chalk this one up to "documentation fatigue" :-) I thought I was reading about failover in general).  Thank you so much for pointing that out!

It looks like we are good-to-go with the failover piece of things and the trunking/switching setup.  I believe that you have identfied the use of the trunk ports, we have about 10 VLANs in addition to the main VLANs that flow over those links because we are out of available physical interfaces (well, we are running the unlimited license so we could put in another GE at which point ther would be no available slots, but funds are very, very tight right now).  So that makes a lot of sense in our configuration.

Thank you again for your time and help and I really appreciate the assistance!!!

Cheers,

Travis

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to travis_bonfigli

‎11-21-2009 08:39 AM

Travis

No problem, glad to have helped. Good luck with the testing.

Jon

0 Helpful

Go to solution
travis_bonfigli
Level 4
Level 4
In response to Jon Marshall

‎12-07-2009 05:55 PM

Jon/All:

I just wanted to say 'Thank you!!!' for the assistance!  I implemented the fix today for our PIX535 firewalls by adding in the standby IPs for the interfaces that were missing them.  Worked perfectly and interestingly, the switchports and trunk ports all came up in 15-30 seconds (which was pretty quick in my opinion after doing a lot of reading on the negotiation process).  As soon as my interfaces came up everything transitioned from "Normal (Waiting)" to just "Normal".  After that we decided to go "all in" and run the "no failover active" command on the primary PIX and everything failed over flawlessly!!!  We let the secondary run for about 10 minutes as the primary and then failed back with no issues.  We actually have a working (and properly configured) set of PIX firewalls at this point!  Thank you again to all for the assistance!!!  I have some output to post up tomorrow (don't have access to my log file from SecureCRT right now...).

Cheers

Travis

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card