Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix Firewall and VLAN Implementtion with Failover

I want to know how will be the behavior of failover when i configure VLAN support on PIX Firewall. At the present time i have a PIX 515E working with 6 interfaces and Failover and i need to grow until 12.


Re: Pix Firewall and VLAN Implementtion with Failover

I don't remember coming across any documentation that talks about VLAN support on the PIX. VLAN's are basically a feature used on Cisco switches.

The PIX 515 can handle a maximum of 6 interfaces so you can't add any more. You could opt for the PIX 535, but even that supports 10 interfaces at-most.

New Member

Re: Pix Firewall and VLAN Implementtion with Failover

Cisco Pix Firewall and VPN Configuration Guide says that only the physical can be done. I tried and was able to get both logical and physical failover link's commands successfully entered. What's up with that?

New Member

Re: Pix Firewall and VLAN Implementtion with Failover

Your biggest problem is the number of desired interfaces. As far as I know, the maximum number of interfaces on the 515, logical and physical, is 10.

I have a bunch of PIX boxes using trunks, and I have a bunch of PIX boxes in a FO bundle. I have never tried to both trunk and failover at the same time.

Without putting the scenario in the lab, my best guess is that should the physical interface fail, that failover would happen in a normal fashion. I suspect that should you somehow lose an individual VLAN, that the PIX would not failover.

I would also be concerned about the general architecture of such a scenario. Your essentialy creating the stereotypical "router on a stick". If your traffic patterns are for the most part from outside to protected interfaces, your probably ok, however if you have a great deal of traffic transversing between internal subnets, your creating a great deal of innefficiency, albeit in a secure manner :-)

Given that you have a 515, the FWSM blade and 6500 is probably economicaly not doable. I would however, look at attempting to use layer 3 switching behind the firewall, where my security policy would allow it, or migrating similar systems to interfaces with appropriate security levels to reduce the number of interfaces.

CreatePlease to create content