Hello. In the near future I will be implementing failover capabilities to my current PIX and switch architecture. I understand how to configure the PIX for Active/Standby failover, but I am concerned about switch redundancy. I am planning on setting up the following:
Pix firewalls in active/standby mode, each Pix connected to a switch, both switches will be linked by a trunk, and all switch ports and internal PIX interfaces will be in the same VLAN.
My concern is when the PIX fails and activates the standby Pix, how will the switches know which Pix to send all traffic too? Is spanning tree going to handle this?
The switches will automatically learn the new MAC address the moment it sees the first frame from the PIX after the failover. Both the switches will have the updated CAM table quickly. And therefore nothing needs to be done extra. No spanning tree change is involved becasue there is not port shutdown...only MAC address change.
To verify, you can look at the switches' CAM table before and after the failover using show cam command.
From your configuration, I can see it will work perfectly ok.
Thank you for the information. I wanted to run this config. by someone to make sure I didn't miss anything. I do have one more question about a PIX in active-standby mode. On the standby PIX, what is the status of the fe port connected to the switch? Will it appear as administratively down? I'm just wondering how the switch knows not to send traffic to the port of the Standby PIX.
It appears that you are using failover lan. When you have this configuration the standby unit goes to sleep. It does however have valid ip addresses for your network. The active pix will take all the traffic, when you fail over the standby will assume the configuration of the active unit. The switch will not send traffic to the standby unit if it is a sleep. The ports will be up up. If they were down then failover would not work. Failover works by the standby unit monitoring all the interfaces of the active unit. When one interface or the entire unit fails the the secondary will become the active. We have decided not to use failover lan, because it can cause problems, especially if you are having a spanning tree problem. We chose to use bgp between our edge and core routers, the routing protocol will provide the failover.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.