moving my single point of failure up one level

Answered Question
Mar 11th, 2010

HI NetPros,

I am trying to move my single point of failure up from my 3750 to my pix 515e.  Currently, the 3750 has a default route to the pix inside interface.  I have a second 3750 that I have confgured with HSRP.  I would like to add it in the mix, such that the 2 3750's act as one (HSRP) and connect up to the 515.  What I am not sure of is whether or not this is feasible, as the 515 routes to interfaces based on name (inside, outside, etc).

Please advise.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 9 months ago

t00832112 wrote:

Hi Jon,

My experience with PIX is limited and your input has been valuable.  I could introduce another L2 device above the 3750, but that does not get my SPoF to the PIX.

As an aside, can you create a virtual interface on the pix that will reference 2 physical interfaces (an HSRP for PIX -if you will)?

Ronald

Trouble you have is that you won't be able to use 2 addresses out of the same subnet on the pix as it will complain about overlapping addresses just as a router would.

You could have 2 inside interfaces ie. inside1 and inside2 but they would need to be in differetn subnets. The other problem is you would need to ensure that traffic from the 3750 switches always went in and came back on the same inside interface or the firewall will complain.

You could conceivably have 2 interfaces connecting from the pix ie. inside1 and inside2. You could then have 2 default-routes on the 3750s one with an AD of 250 so it was only used if the first failed. But i'm very dubious as to how well this would work, if at all, and it would need testing which unfortunately i can't do for you as i have no access to pix firewalls. You might well need to run IP SLA on the 3750 to test when the interface had gone down on the pix as well.

You certainly wouldn't get stateful failover between the interfaces and i can see the NAT being an issue if the interfaces were suddenly switched.

For redundancy at the firewall level as you say you really need a pair of firewalls in active/standby or active/active mode.

Jon

Correct Answer by Jon Marshall about 6 years 9 months ago

Ronald

The problem you have is that you can't have 2 inside interfaces on the pix in the same subnet and that's why it wouldn't work. So you could only really connect the pix to one of your 3750 switches but that isn't a problem if you stack the 3750 switches because then they are seen as one logical switch.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Thu, 03/11/2010 - 15:33

t00832112 wrote:

HI NetPros,

I am trying to move my single point of failure up from my 3750 to my pix 515e.  Currently, the 3750 has a default route to the pix inside interface.  I have a second 3750 that I have confgured with HSRP.  I would like to add it in the mix, such that the 2 3750's act as one (HSRP) and connect up to the 515.  What I am not sure of is whether or not this is feasible, as the 515 routes to interfaces based on name (inside, outside, etc).

Please advise.

Ronald

Not sure i understand your query. The problem with having only one pix and 2 switches is that if the switch that the pix connects to fails then you can't connect to the pix.

Presumably the vlans are routed on your 3750 switches ? If so the only advantage to having a second 3750 would be that you could spread your clients across both switches and if the switch that failed wasn't the one connected to the pix you would get some level of redundancy. Alternatively if you have servers you could dual hone to both switches.

I would look to stack the switches as they are 3750 switches rather than look at them as separate switches.

Jon

Ronald Spencer Thu, 03/11/2010 - 15:43

My 3750 is at the edge (of my corporate network).  At handoff, it goes to the pix which then routes to a 6509 and out the the public.  Ultimately, the goal is redundancy.  In the future (not sure how far) we are going to replace the pix with dual asa's.  We are also going to add another 6509.

currently we have this:

WAN

  |

  |

6509

  |

  |

PIX

  |

  |

3750

  |

  |

LAN

Was hoping that we could do this:

     WAN

       |

       |

     6509

       |

       |

     PIX

     |   |

     |   |

3750 3750

  |       |

  |       |

LAN  LAN

Correct Answer
Jon Marshall Thu, 03/11/2010 - 15:53

Ronald

The problem you have is that you can't have 2 inside interfaces on the pix in the same subnet and that's why it wouldn't work. So you could only really connect the pix to one of your 3750 switches but that isn't a problem if you stack the 3750 switches because then they are seen as one logical switch.

Jon

Ronald Spencer Thu, 03/11/2010 - 16:26

Hi Jon,

My experience with PIX is limited and your input has been valuable.  I could introduce another L2 device above the 3750, but that does not get my SPoF to the PIX.

As an aside, can you create a virtual interface on the pix that will reference 2 physical interfaces (an HSRP for PIX -if you will)?

Correct Answer
Jon Marshall Thu, 03/11/2010 - 16:39

t00832112 wrote:

Hi Jon,

My experience with PIX is limited and your input has been valuable.  I could introduce another L2 device above the 3750, but that does not get my SPoF to the PIX.

As an aside, can you create a virtual interface on the pix that will reference 2 physical interfaces (an HSRP for PIX -if you will)?

Ronald

Trouble you have is that you won't be able to use 2 addresses out of the same subnet on the pix as it will complain about overlapping addresses just as a router would.

You could have 2 inside interfaces ie. inside1 and inside2 but they would need to be in differetn subnets. The other problem is you would need to ensure that traffic from the 3750 switches always went in and came back on the same inside interface or the firewall will complain.

You could conceivably have 2 interfaces connecting from the pix ie. inside1 and inside2. You could then have 2 default-routes on the 3750s one with an AD of 250 so it was only used if the first failed. But i'm very dubious as to how well this would work, if at all, and it would need testing which unfortunately i can't do for you as i have no access to pix firewalls. You might well need to run IP SLA on the 3750 to test when the interface had gone down on the pix as well.

You certainly wouldn't get stateful failover between the interfaces and i can see the NAT being an issue if the interfaces were suddenly switched.

For redundancy at the firewall level as you say you really need a pair of firewalls in active/standby or active/active mode.

Jon

Ronald Spencer Thu, 03/11/2010 - 16:48

This makes sense and what is what we ultimately intend to do.  Thank you for your help.

Actions

This Discussion