Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
4
Replies

PIX the single point of failure !!

dehghan
Level 1
Level 1

‎03-03-2004 09:43 PM - edited ‎02-20-2020 11:16 PM

Hello

Unfortunetly I canot paste a diagram to make my self clear but I will try to get my questions across.

I have always seen PIX as a device that seperates the network in to sections ( eg. DMZ, Internal..). You could use failover to recover from a failure, but what if I were to have for example a fully redundant DMZ witch would connect all servers to two three.. switches. you would connect a single switch to the PIX, what if that single switch fails, the whole DMZ would be disconnected from the rest of the network. I was wondering what could be done to minimize the impact of such a case on the PIX.

Is there some type of channeling possible for the PIX???. Or can I connect the PIX to two of my switches in the DMZ and use two interfaces on the PIX and give them the same priority ( The traffic wouldn't be able to pass from two interfaces with the same priority, as far as I have read) and use static routing to solve my problem??. Or is there another way??.

I would be very happy if some one could help me out on this. Thanks in advance.

0 Helpful
4 Replies 4

peangvall
Level 1
Level 1

‎03-04-2004 12:30 PM

The PIX can only be plugged into one switch on each dmz, so there is a single point of failure. Of course, the PIX is a single point of failure, so if you have two PIX's setup in failover, then you can put one into switch one and one into switch two. If one PIX or switch fails, the other one will take over. With only one PIX there is no way to achieve it.

0 Helpful

dehghan
Level 1
Level 1
In response to peangvall

‎03-04-2004 09:44 PM

Thanks

How about using static routing on the pix.

Giving diffrent metrics to the single IP ( running HSRP ) of the switches. You could also define witch switch should be active so that the switch with the higher priority will have a lower metric on the PIX.

I do not have a lab for testing these things so I realy dont know.

I would be happy to here your thoughts.

Thanks again

0 Helpful

cscott
Level 1
Level 1
In response to dehghan

‎03-06-2004 08:09 PM

To go along with the previous poster, the only way to achieve true redundancy in your network is to duplicate everything.

What you noted about the PIX being the single point of failure can be said for any firewall, unless it has two power supplies, to NIC's for each "interface", two motherboards, two CPU's, etc etc.

There is this marketing gimmic starting to go around where companies are integrating multiple WAN ports, or multiple NIC's for the internal interface etc and touting that these provide for high availability without using another unit. Well...what happens if your CPU dies, or your power supply dies.

0 Helpful

dehghan
Level 1
Level 1
In response to cscott

‎03-08-2004 12:57 AM

Thanks anyway

I have desided to get another pix for my company.

Thanks again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card