We currently have two CSS 11501's setup with box-to-box failover redundancy. We wish to add PIX Firewalls betweent the CSS's and their connection to the Internet for added security. What redundancy configurations/topolgies are workable, for the PIX's and the CSS's. Active-Standby? Active-Active? How shoudl they be connected? Should the CSS's and the PIX's be setup for failover? or just one or the other?
I use the same scheme with a failover pair( active standby) of PIX 515E in front of a active-standby pair of CSS11501. In this particular case the servers and firewalls are connected directly in the CSS.
We are planing to use a pair of PIX 525's in active/standby. I am not too familiar with the 515E, but I assume it configures in a similar manner. Our CSS 11501's are also in an active/standby arrangement. When you say that the firewalls and servers are directly connected in the CSS, I assume that you are using the switch built into the CSS, and that is what we are intending to do as well. I am wondering about the connections between the firewalls and the pair of CSS's. Is each PIX connected to each CSS in a criss-cross fashion? I would think this would be required to allow for the failover of the PIX. Also, does each Internet connection connect only to each of the two firewalls? i.e. the Internet connections are redundant as well, with only one in use at a time. This is how I think we will be setting things up, but it would be nice to know that someone else is successfully using such an arrangement. Thanks again for any assistance.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...