https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145844#M602997 <HTML><HEAD></HEAD><BODY><P>I don't remember coming across any documentation that talks about VLAN support on the PIX. VLAN's are basically a feature used on Cisco switches. </P><P>The PIX 515 can handle a maximum of 6 interfaces so you can't add any more. You could opt for the PIX 535, but even that supports 10 interfaces at-most. </P></BODY></HTML> Thu, 17 Jul 2003 15:45:14 GMT drolemc 2003-07-17T15:45:14Z https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145843#M602996 <P>I want to know how will be the behavior of failover when i configure VLAN support on PIX Firewall. At the present time i have a PIX 515E working with 6 interfaces and Failover and i need to grow until 12.</P><P></P> Fri, 21 Feb 2020 06:50:55 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145843#M602996 jorgeorlando.melo 2020-02-21T06:50:55Z https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145844#M602997 <HTML><HEAD></HEAD><BODY><P>I don't remember coming across any documentation that talks about VLAN support on the PIX. VLAN's are basically a feature used on Cisco switches. </P><P>The PIX 515 can handle a maximum of 6 interfaces so you can't add any more. You could opt for the PIX 535, but even that supports 10 interfaces at-most. </P></BODY></HTML> Thu, 17 Jul 2003 15:45:14 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145844#M602997 drolemc 2003-07-17T15:45:14Z https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145845#M602998 <HTML><HEAD></HEAD><BODY><P>Cisco Pix Firewall and VPN Configuration Guide says that only the physical can be done. I tried and was able to get both logical and physical failover link's commands successfully entered. What's up with that?</P></BODY></HTML> Thu, 07 Aug 2003 20:00:27 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145845#M602998 dlac455 2003-08-07T20:00:27Z https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145846#M602999 <HTML><HEAD></HEAD><BODY><P>Your biggest problem is the number of desired interfaces. As far as I know, the maximum number of interfaces on the 515, logical and physical, is 10.</P><P></P><P>I have a bunch of PIX boxes using trunks, and I have a bunch of PIX boxes in a FO bundle. I have never tried to both trunk and failover at the same time. </P><P></P><P>Without putting the scenario in the lab, my best guess is that should the physical interface fail, that failover would happen in a normal fashion. I suspect that should you somehow lose an individual VLAN, that the PIX would not failover.</P><P></P><P>I would also be concerned about the general architecture of such a scenario. Your essentialy creating the stereotypical "router on a stick". If your traffic patterns are for the most part from outside to protected interfaces, your probably ok, however if you have a great deal of traffic transversing between internal subnets, your creating a great deal of innefficiency, albeit in a secure manner <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Given that you have a 515, the FWSM blade and 6500 is probably economicaly not doable. I would however, look at attempting to use layer 3 switching behind the firewall, where my security policy would allow it, or migrating similar systems to interfaces with appropriate security levels to reduce the number of interfaces.</P><P></P></BODY></HTML> Tue, 12 Aug 2003 01:41:47 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-vlan-implementtion-with-failover/m-p/145846#M602999 jon-sills 2003-08-12T01:41:47Z