Cmon guys...Im glad youre all catching up on the year's social events, but can someone anaswer my question above?

LOL

[FROM THE ABOVE POST]

"With pix firewalls per context GLBP would give you nothing because there is nothing to load-balance ie. the firewall always appears as the same host to the routers/switches so it will always use the same active gateway so i don't believe you could end up with asymmetric routing."

That is exactly the point the client made, BUT his argument was that the L3 switches would forward the traffic to the FW's HSRP VIP -- and that is why, as he explained, there would not be asymmetric routing. And that is what confused me since I know PIX dont run HSRP.

Now, maybe, as Andrew says, there is a mix up in language. Fine. I do completely understand that whether there is one FW acting as the active, or you have two devices running HSRP where one of those switches is the HSRP active for every VLAN, it would be the same: ONE device is doing all the receiving and forwarding of traffic.

So, the question is, how is it that you are able to direct traffic to the active PIX when you have 2 PIXs in active/standy mode and no mechanism such as HSRP or VRRP or GLBP to run between the firewalls?

Please examine this attached drawing.

V1 and V2 sit at the enterprise edge, facing vendors.

E1 and E2 sit in the DMZ.

V1 learnes interior routes through multihop eBGP with E1 -- and V2 learns interior routes through multihop eBGP with E2.

Both V1 and V2 have the same static route for their eBGP peers pointing to 10.182.18.49 -- which, according to the drawing, is the FW VRRP VIP.

So, what the heck is this address that both switches would point to it when having to go through the FW if not a shared IP that both FWs use? It cant be the case that that address is the physical interface of 1 FW and failover requires manual intervention. LOL..That would be totally insane.

Ideas?

Thanks you so much

Victor

[END ABOVE POST]

Victor

Victor

Apologies, just a quick modification. I said

"And this is the address (ie. 10.182.18.49) you would use as the next hop for both V1/V2 & E1/E2".

Actually you wouldn't. For V1/V2 you would. But E1/E2 would use a different address as the next hop on the firewalls ie. whatever the IP address is on the primary firewall on the interfaces facing E1/E2.

Sorry about that.

Jon

Jorge

jon.marshall4@btinternet.com

Jon

"If the primary fails then the secondary firewall whose physical interface is still 10.182.18.50 will now becomes responsible for 10.182.18.49 and will accept packets destined for this address. So no you don't have to manually fail it over, the secondary just starts to answer to 10.182.18.49."

Bingo!

That is exacyly what I was asking.

Isnt the failover you just described indeed 'PIX failover"?

By the way, does that mean that that diagram is nonsense? Because it describes the failover mechanism between the firewalls as "VRRP" and the 10.182.18.49 address as being the VRRP VIP.

Thanks

Victor

Well you took your time reading the post after all that complaining :-)

"Isnt the failover you just described indeed 'PIX failover"?"

Yes it is, i was just wondering how much detail you actually wanted.

The diagram is misleading it would be more accurate to just label the firewalls as active/standby with the primary address 10.182.18.49.

Jon

Now all my confusion could have been avoided had I just not been such a PIX retard. LOL

Thanks, dude.

Victor