Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
0
Helpful
6
Replies

moving my single point of failure up one level

Go to solution
Ronald Spencer
Level 1
Level 1

‎03-11-2010 03:25 PM - edited ‎03-04-2019 07:47 AM

HI NetPros,

I am trying to move my single point of failure up from my 3750 to my pix 515e.  Currently, the 3750 has a default route to the pix inside interface.  I have a second 3750 that I have confgured with HSRP.  I would like to add it in the mix, such that the 2 3750's act as one (HSRP) and connect up to the 515.  What I am not sure of is whether or not this is feasible, as the 515 routes to interfaces based on name (inside, outside, etc).

Please advise.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ronald Spencer

‎03-11-2010 03:53 PM

Ronald

The problem you have is that you can't have 2 inside interfaces on the pix in the same subnet and that's why it wouldn't work. So you could only really connect the pix to one of your 3750 switches but that isn't a problem if you stack the 3750 switches because then they are seen as one logical switch.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ronald Spencer

‎03-11-2010 04:39 PM 

t00832112 wrote:
Hi Jon,
My experience with PIX is limited and your input has been valuable.  I could introduce another L2 device above the 3750, but that does not get my SPoF to the PIX.
As an aside, can you create a virtual interface on the pix that will reference 2 physical interfaces (an HSRP for PIX -if you will)?

Ronald

Trouble you have is that you won't be able to use 2 addresses out of the same subnet on the pix as it will complain about overlapping addresses just as a router would.

You could have 2 inside interfaces ie. inside1 and inside2 but they would need to be in differetn subnets. The other problem is you would need to ensure that traffic from the 3750 switches always went in and came back on the same inside interface or the firewall will complain.

You could conceivably have 2 interfaces connecting from the pix ie. inside1 and inside2. You could then have 2 default-routes on the 3750s one with an AD of 250 so it was only used if the first failed. But i'm very dubious as to how well this would work, if at all, and it would need testing which unfortunately i can't do for you as i have no access to pix firewalls. You might well need to run IP SLA on the 3750 to test when the interface had gone down on the pix as well.

You certainly wouldn't get stateful failover between the interfaces and i can see the NAT being an issue if the interfaces were suddenly switched.

For redundancy at the firewall level as you say you really need a pair of firewalls in active/standby or active/active mode.

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-11-2010 03:33 PM 

t00832112 wrote:
HI NetPros,
 I am trying to move my single point of failure up from my 3750 to my pix 515e.  Currently, the 3750 has a default route to the pix inside interface.  I have a second 3750 that I have confgured with HSRP.  I would like to add it in the mix, such that the 2 3750's act as one (HSRP) and connect up to the 515.  What I am not sure of is whether or not this is feasible, as the 515 routes to interfaces based on name (inside, outside, etc).
Please advise.

Ronald

Not sure i understand your query. The problem with having only one pix and 2 switches is that if the switch that the pix connects to fails then you can't connect to the pix.

Presumably the vlans are routed on your 3750 switches ? If so the only advantage to having a second 3750 would be that you could spread your clients across both switches and if the switch that failed wasn't the one connected to the pix you would get some level of redundancy. Alternatively if you have servers you could dual hone to both switches.

I would look to stack the switches as they are 3750 switches rather than look at them as separate switches.

Jon

0 Helpful

Go to solution
Ronald Spencer
Level 1
Level 1
In response to Jon Marshall

‎03-11-2010 03:43 PM

My 3750 is at the edge (of my corporate network).  At handoff, it goes to the pix which then routes to a 6509 and out the the public.  Ultimately, the goal is redundancy.  In the future (not sure how far) we are going to replace the pix with dual asa's.  We are also going to add another 6509.

currently we have this:

WAN

  |

  |

6509

  |

  |

PIX

  |

  |

3750

  |

  |

LAN

Was hoping that we could do this:

     WAN

       |

       |

     6509

       |

       |

     PIX

     |   |

     |   |

3750 3750

  |       |

  |       |

LAN  LAN

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ronald Spencer

‎03-11-2010 03:53 PM

Ronald

The problem you have is that you can't have 2 inside interfaces on the pix in the same subnet and that's why it wouldn't work. So you could only really connect the pix to one of your 3750 switches but that isn't a problem if you stack the 3750 switches because then they are seen as one logical switch.

Jon

0 Helpful

Go to solution
Ronald Spencer
Level 1
Level 1
In response to Jon Marshall

‎03-11-2010 04:26 PM

Hi Jon,

My experience with PIX is limited and your input has been valuable.  I could introduce another L2 device above the 3750, but that does not get my SPoF to the PIX.

As an aside, can you create a virtual interface on the pix that will reference 2 physical interfaces (an HSRP for PIX -if you will)?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ronald Spencer

‎03-11-2010 04:39 PM 

t00832112 wrote:
Hi Jon,
My experience with PIX is limited and your input has been valuable.  I could introduce another L2 device above the 3750, but that does not get my SPoF to the PIX.
As an aside, can you create a virtual interface on the pix that will reference 2 physical interfaces (an HSRP for PIX -if you will)?

Ronald

Trouble you have is that you won't be able to use 2 addresses out of the same subnet on the pix as it will complain about overlapping addresses just as a router would.

You could have 2 inside interfaces ie. inside1 and inside2 but they would need to be in differetn subnets. The other problem is you would need to ensure that traffic from the 3750 switches always went in and came back on the same inside interface or the firewall will complain.

You could conceivably have 2 interfaces connecting from the pix ie. inside1 and inside2. You could then have 2 default-routes on the 3750s one with an AD of 250 so it was only used if the first failed. But i'm very dubious as to how well this would work, if at all, and it would need testing which unfortunately i can't do for you as i have no access to pix firewalls. You might well need to run IP SLA on the 3750 to test when the interface had gone down on the pix as well.

You certainly wouldn't get stateful failover between the interfaces and i can see the NAT being an issue if the interfaces were suddenly switched.

For redundancy at the firewall level as you say you really need a pair of firewalls in active/standby or active/active mode.

Jon

0 Helpful

Go to solution
Ronald Spencer
Level 1
Level 1
In response to Jon Marshall

‎03-11-2010 04:48 PM

This makes sense and what is what we ultimately intend to do.  Thank you for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card