Firewall Wizards mailing list archives

Re: pix 515 failover

From: Jamie Gillespie <jamie () auscert org au>
Date: Fri, 06 Sep 2002 16:52:24 +1000

-----BEGIN PGP SIGNED MESSAGE-----


Hi Barry,

i have been given the job of setting up failover for a pair of cisco pix 515

i can setup the failover no problems but my question is
when the pix fails over does the second one assume the ip address assigned 
to the interface on the primary
or does it use the address assigned under the failover command for that 
interface.


The failover command assigned an IP address for the interface while
the PIX is acting as the standby, or failover.  When a fault occurs in
the primary, the standby becomes active and assumes all IP addresses
and state tables (if configured).  A really good explanation is at:

        http://www.cisco.com/warp/public/110/failover.html

if the interface assumes the address assigned under the failover command 
how does one go about routing from a router etc to the firewall??


As it assumes the IP address of the primary, all you'd need is something
liek a an ethernet switch connecting the outside interface of the two
PIX's and the uplink to your border router, etc...  When a PIX fails over,
it does the usual ARP to tell the switch it now owns the primary IP address.

Hope this helps,

- --- Jamie Gillespie, CISSP, CCNA ---
Australian Computer Emergency Response Team | Hotline: +61 7 3365 4417
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email:   auscert () auscert org au



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPXjdSCh9+71yA2DNAQGESgP9H9sZf1Ly/mXrBtC38+/cxxbq3Dn+U+/V
AidXloVNpoD2iaqjRY+uprGfQzokP54P7oDZd+/uU3UJQF6YCJeMvkZkIG0/fF5/
F73ZfSMaxrLu+y9pSDNIJKrwGS6IoWoVW7Vp45xpY+ss3DcTsNx6vcOLiGF/BDFx
LYbkunxQdo0=
=mUV6
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

pix 515 failover barry (Sep 05)
- Re: pix 515 failover Daniel Linder (Sep 06)
- Re: pix 515 failover Carson Gaspar (Sep 06)
- Re: pix 515 failover Jamie Gillespie (Sep 06)
- RE: pix 515 failover Daniel Handley (Sep 06)