Solved: PIX Failover and DMZ

kirkster · ‎11-22-2004

Hi,

I am fairly happy with the failover of the inside and outside interfaces - i.e. the backup PIX inherits the IP address and MAC address of the primary unit. However, what about the DMZ interface? Does that also inherit the IP and MAC of the primary unit?

In a DMZ failover design with only a couple of servers on the DMZ, would you connect both DMZ PIX interfaces into a common switch (same VLAN of course !) and then plug in the servers?

Fairly basic questions I am sure but I cannot find an answer to this on cco.

Best regards, Steve

sachinraja · ‎11-22-2004

Hi Steve,

yes.. DMZ interfaces also inherits the IP and the MAC address of the primary PIX.

In this scenario, even if you have one server you need to connect the 2 PIXs onto a switch and then plug the server on the same VLAN.. this will ensure physical reachability of the server to both the PIXes. In case you have only one connection, you need to change the cable manually , when one PIX fails, which is a big headache ...

Hope this helps...

rate all replies if found useful !!

View solution in original post

sachinraja · ‎11-22-2004

Hi Steve,

yes.. DMZ interfaces also inherits the IP and the MAC address of the primary PIX.

In this scenario, even if you have one server you need to connect the 2 PIXs onto a switch and then plug the server on the same VLAN.. this will ensure physical reachability of the server to both the PIXes. In case you have only one connection, you need to change the cable manually , when one PIX fails, which is a big headache ...

Hope this helps...

rate all replies if found useful !!