Cisco Support Community
Community Member

PIX FailOver and Switch Redundancy

Hello. In the near future I will be implementing failover capabilities to my current PIX and switch architecture. I understand how to configure the PIX for Active/Standby failover, but I am concerned about switch redundancy. I am planning on setting up the following:

Pix firewalls in active/standby mode, each Pix connected to a switch, both switches will be linked by a trunk, and all switch ports and internal PIX interfaces will be in the same VLAN.

Pix --------Switch



My concern is when the PIX fails and activates the standby Pix, how will the switches know which Pix to send all traffic too? Is spanning tree going to handle this?

Any advice or help is appreciated.


Re: PIX FailOver and Switch Redundancy

The switches will automatically learn the new MAC address the moment it sees the first frame from the PIX after the failover. Both the switches will have the updated CAM table quickly. And therefore nothing needs to be done extra. No spanning tree change is involved becasue there is not port shutdown...only MAC address change.

To verify, you can look at the switches' CAM table before and after the failover using show cam command.

From your configuration, I can see it will work perfectly ok.

Community Member

Re: PIX FailOver and Switch Redundancy

Thank you for the information. I wanted to run this config. by someone to make sure I didn't miss anything. I do have one more question about a PIX in active-standby mode. On the standby PIX, what is the status of the fe port connected to the switch? Will it appear as administratively down? I'm just wondering how the switch knows not to send traffic to the port of the Standby PIX.

Thanks again for the assistance.

Community Member

Re: PIX FailOver and Switch Redundancy

It appears that you are using failover lan. When you have this configuration the standby unit goes to sleep. It does however have valid ip addresses for your network. The active pix will take all the traffic, when you fail over the standby will assume the configuration of the active unit. The switch will not send traffic to the standby unit if it is a sleep. The ports will be up up. If they were down then failover would not work. Failover works by the standby unit monitoring all the interfaces of the active unit. When one interface or the entire unit fails the the secondary will become the active. We have decided not to use failover lan, because it can cause problems, especially if you are having a spanning tree problem. We chose to use bgp between our edge and core routers, the routing protocol will provide the failover.

CreatePlease to create content