Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Redundant configuration with two PIX firewalls

I have two PIX firewalls, configured for statefull failover. On the inside, both ethernet interfaces are connected to one switch. The outside interfaces are also connected to one switch. Because this is a Single point of Failure I want to connect both inside ethernet interfaces of both PIX filewalls to two different switches, which are connected with each other. Somehow, the statefull failover seems not to be working. The address tables of the switches should be updated in time. Looking at the CCO, all I can find are examples of configuration with one switch used. Does anybody have a real redundant working statefull failover configuration with two pix firewalls, two switches on the inside and two switches on the outside?

Thanks

Dennis

  • Other Network Infrastructure Subjects
3 REPLIES
New Member

Re: Redundant configuration with two PIX firewalls

Hi.

As long as the interfaces of each PIX connect to the same VLANs on different switches (that is inside interface of PIX 1 connects to VLAN x on Switch 1 and inside interface of PIX 2 connects to VLAN x on switch 2) and you have a trunk between the two switches, I don't see why it wouldn't work...

Rgds.

NM

New Member

Re: Redundant configuration with two PIX firewalls

Neither do I. The switches do need to be trunked. I am afraid that the switches used in this case are not really trunked but only cross-wired connected. If the switches are trunked, then they know each others MAC adres table and there should be no problem.... I will test and check the situation myself. Thanks for your quick response.

Dennis

New Member

Re: Redundant configuration with two PIX firewalls

How are the switches connected to the Internet router/routers? Are there two or one? Also enable spanning tree portfast on all four switch port. And yes in is not recommended to do this for infrastructure however it is recommended to the PIX for failover or it will take the port 50 seconds to come up and that will not be stateful failover.

107
Views
0
Helpful
3
Replies