Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
3
Replies

Pix Firewall and VLAN Implementtion with Failover

jorgeorlando.melo
Level 1
Level 1

‎07-11-2003 06:03 AM - edited ‎02-20-2020 10:50 PM

I want to know how will be the behavior of failover when i configure VLAN support on PIX Firewall. At the present time i have a PIX 515E working with 6 interfaces and Failover and i need to grow until 12.

0 Helpful
3 Replies 3

drolemc
Level 6
Level 6

‎07-17-2003 08:45 AM

I don't remember coming across any documentation that talks about VLAN support on the PIX. VLAN's are basically a feature used on Cisco switches.

The PIX 515 can handle a maximum of 6 interfaces so you can't add any more. You could opt for the PIX 535, but even that supports 10 interfaces at-most.

0 Helpful

dlac455
Level 1
Level 1

‎08-07-2003 01:00 PM

Cisco Pix Firewall and VPN Configuration Guide says that only the physical can be done. I tried and was able to get both logical and physical failover link's commands successfully entered. What's up with that?

0 Helpful

jon-sills
Level 1
Level 1

‎08-11-2003 06:41 PM

Your biggest problem is the number of desired interfaces. As far as I know, the maximum number of interfaces on the 515, logical and physical, is 10.

I have a bunch of PIX boxes using trunks, and I have a bunch of PIX boxes in a FO bundle. I have never tried to both trunk and failover at the same time.

Without putting the scenario in the lab, my best guess is that should the physical interface fail, that failover would happen in a normal fashion. I suspect that should you somehow lose an individual VLAN, that the PIX would not failover.

I would also be concerned about the general architecture of such a scenario. Your essentialy creating the stereotypical "router on a stick". If your traffic patterns are for the most part from outside to protected interfaces, your probably ok, however if you have a great deal of traffic transversing between internal subnets, your creating a great deal of innefficiency, albeit in a secure manner :-)

Given that you have a 515, the FWSM blade and 6500 is probably economicaly not doable. I would however, look at attempting to use layer 3 switching behind the firewall, where my security policy would allow it, or migrating similar systems to interfaces with appropriate security levels to reduce the number of interfaces.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card