Cisco Support Community
Community Member

Integration of HSRP devices

( Hope this is proper place in netpro for following topic )

We are having normal chain of cisco devices as follows

WAN( Internet router ) ethernet connected to outside interface of Cisco PIX firewall , other regions on firewall are :DMZ and

Inside connected on separate layer three switches.

Proposed failover plan is to have all these in a similar chain running in parallal with the original devices.

so that any link or any device from the original chain stops working then a failover chain of devices will take over. This will ensure a smooth passing of data traffic from inside zone to internet or from outside/ internet zone to DMZ zone.

We can configure PIX in failover mode successfullly. We could configure layer three switches ( separate pair of switches per interface ) also in HSRP mode.

But when we need to integrate all these device , we ran into problems. IN PIX failover configuration -- inside interface or DMZ or outside interface of both PIX

( that is active and failover) are connected to one swicth per interface . ( that is inside of both PIX will be connected to one switch , outside of both PIX will be connected to one switch and so on ) so this switch becomes a single point of failure.

Can it be done that inside of EACH PIX will be connected to two separate switches or inside of BOTH PIX will be connected to

both switches. and these two switches will run HSRP or GLPB

And then critical servers in the inside region will have two ethernet cards teamed up to form one logical interface. These two ethernet

interfaces will be connected to above mentioned switches separately . This will ensure server redundency.

Similar problem is there when connecting two internet that is WAN routers ethernet ports to two outside interface of PIX.

Any link on for integrating such device is appreciable.




Re: Integration of HSRP devices

For PIX to successfully work in Active-Standby mode you need the respective interfaces of both firewalls to be able to talk to each other at Layer-2. I am going to talk about a generic design for the internet side and you can apply that to the inside also.

You will have two internet routers, RouterA and RouterB. Behind these internet routers will be two Layer-2 switches, SwitchA and SwitchB. Internet RouterA will connect to SwitchA while RouterB will connect to SwitchB. Both SwitchA and SwitchB will connect to eachother via an Etherchannel (minimum of two links). FirewallA will connect to SwitchA on the same VLan that Internet routers are connected to and FirewallB will connect to SwitchB in a similar manner.

This will provide you with adequate redundancy and remove any single points of failure on the internet facing side. You can apply a similar approach on the inside of the firewalls. By the way to actually take advantage of this physical redundancy you need to configure your Layer-3 parameters (HSRP, Routing on the Internet Routers) appropriately.

Let me know if this was clear enough. If not then I will try to explain it via a diagram provided I get the time.

CreatePlease to create content