Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

PIX Failover & Other Queries

From: James Burns <james.burns () sunderland ac uk>
Date: Mon, 09 Oct 2006 14:04:00 +0100
Hi, I'm hoping someone can help...

I'm working at a university, that currently only has a single gig feed 
to the outside world. In the interests of resilience, we're soon to be 
getting a second feed in, and I was hoping that someone might be able to 
offer some advice on the best way of going about it.

We've currently got two Pix 535's as a failover set, one with an 
unrestricted (UR) license, the other with a failover (FO) only. As the 
new feed is coming into a different site, the failover Pix will be 
moved, and we'll do LAN based failover rather than using a failover cable.

*However*, the educational body supplying the new feed has seen fit to 
provide the second feed in as a separate OSPF instance to the original 
feed. Therefore, each of the two feeds out will have different OSPF 
instances, and different IP addresses. For the sake of arguement (which 
will likely as not prove to be fact anyway), assume that this is set in 
stone, and nothing's going to change it.

So, what I want to know is your thoughts on how best to go about this... 
Is it possible to have to firewalls in a failover set failover as 
normal, but have the failover Pix have a different outside IP address? I 
didn't think that this would be possible, if at all, but especially on a 
box with an FO licence? What about upgrading the licence from FO to UR - 
would that allow it? The best possible solution I've managed to come up 
with so far, is to have two routers (or L3 switches) - just outside each 
of the Pix's - configured for HSRP. If the main link goes down, what I 
would like to happen is for the other router to take over via HSRP, and 
for the firewall pair to failover to the backup. Does that sound feasible?

I hope I'm making sense. Any help is appreciated.

-- 
James Burns

Network Advisor – Student & Learning Support
University of Sunderland


-- 
University of Sunderland - life-changing: see our new TV advert at
http://www.lifechangingsunderland.com or http://www.sunderland.ac.uk
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: