Re: Implementing PIX Failover over a Fibre link?

[jan () nil si]

On 14.09.2000 12:39:04 gary.smith wrote:
> All:
>
> We have a requirement for multi-site resiliance for one of our customers
> Extranet sites and I would ideally like to have the 2 PIX firewalls
> communicating in the active-passive failover mode, however, the two sites
> are approximately 2 miles distant from one another.  The question is, can 2
> PIX firewalls operate across a fibre link in failover mode, and if so, how?

Not with native failover - the PIX still requires the serial failover
cable between two devices. You could do failover with a routing protocol,
for example BGP, and let routing choose the active PIX. In this case, BGP
would be running ACROSS the PIX, as the PIX does not truly support
any routing protocols as a router. BGP keepalives will detect a failed
PIX and failover time should be in the order of seconds. Note that
the xlate/conn tables are NOT replicated, so you will lose current
sessions.

Make sure that native failover is disabled, that you have BGP authentication
in place, and that you have different global addresses for NAT in the two
PIXen. What remains is only the BGP config - consult your local guru.

On the other hand, you could use native failover and extend the failover
cable via modems, but this is not officially supported by Cisco. As you
will definitely need some dynamic routing in the setup, I would much prefer
a clean routing-based solution.


Cheers,
Jan

Jan Bervar
Specialist za podatkovne komunikacije, CCIE #2527
Consulting Engineer
NIL Data Communications,  Einspielerjeva 6,  1000 Ljubljana,  Slovenia
Phone +386 1 4746 500       Fax +386 1 4746 501      http://www.NIL.si



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards