Redundant Network Setup

[killerasp]

Here is the network i am hoping to setup:

The firewalls are unrestricted PIXs. The Switches are 2950's.

I think i undestand how STP works. But i dont understand how would i configure the PIX's. What would be the internal IP's that i would assign to the INSIDE interfaces? What would be the security levels? ETC? HELP!

Is this even possible?!

 

[Boscoh]

PIX 6.x or 7.x?

 

[killerasp]

hahah. i knew you were going to ask that question.

6.x

I dont know enough about 7.x right now.

 

[Boscoh]

Active/Standby failover is probably your best bet. The two units would be indentical, except when the primary fails, the standby unit assumes it's IP and becomes the primary. The only lag time will be in how long it takes the switches to recognize the change on what port to forward for packets going to the IP address of the PIX. And that should happen pretty quick.

I dont think STP would be blocking anything in that setup.

There are other ways to do it without having to use failover, but that is probably your best bet. Are you trying to achieve only redundancy, or load balancing too?

 

[killerasp]

Active/Standby failover is probably your best bet. The two units would be indentical, except when the primary fails, the standby unit assumes it's IP and becomes the primary. The only lag time will be in how long it takes the switches to recognize the change on what port to forward for packets going to the IP address of the PIX. And that should happen pretty quick.

I dont think STP would be blocking anything in that setup.

There are other ways to do it without having to use failover, but that is probably your best bet. Are you trying to achieve only redundancy, or load balancing too?

I am only trying to achieve redundancy.

Thanks for the suggestion. But i dont see how that would solve the issue of having redudant switches in the loop. Technically, you would need to configure two internal interfaces, one to each switch. But what internal address would you assign to the interfaces? What would happen if swich one would die but PIX 1 remains fully funtional? How would data be routed to the other interface that is conencted to switch two?

 

[Boscoh]

Actually, you wouldnt have your two links to each PIX. You'd have FW1 plugged into Switch1, and FW2 plugged into Switch2 with the crossover between Switch1 and Switch2.

If Switch1 goes down, the interface on PIX1 will go down, causing the unit to fail over to PIX2.

In that case, you dont have any switching loops in your network that I can see, provided that routing is not enabled between interfaces on the webservers. If it is, STP will detect it.

 

[Boscoh]

Also make sure you enable PortFast on the interfaces the PIXes are connected to, since when in failover the PIX does a series of tests on the network card to ensure that they're fully functional and recieving traffic. If the port isnt in PortFast, STP could still be in listening or learning mode while the PIX is doing these tests, and the PIX needs to be able to recieve traffic to determine if everything is ok.

 

[killerasp]

Actually, you wouldnt have your two links to each PIX. You'd have FW1 plugged into Switch1, and FW2 plugged into Switch2 with the crossover between Switch1 and Switch2.

If Switch1 goes down, the interface on PIX1 will go down, causing the unit to fail over to PIX2.

In that case, you dont have any switching loops in your network that I can see, provided that routing is not enabled between interfaces on the webservers. If it is, STP will detect it.

And if PIX 1 goes down?

 

[killerasp]

this is CDW network specialist came up with. he hasnt gotten back to me yet on how it should be configured.......so im still wondernig.

 

[killerasp]

Actually, you wouldnt have your two links to each PIX. You'd have FW1 plugged into Switch1, and FW2 plugged into Switch2 with the crossover between Switch1 and Switch2.

If Switch1 goes down, the interface on PIX1 will go down, causing the unit to fail over to PIX2.

In that case, you dont have any switching loops in your network that I can see, provided that routing is not enabled between interfaces on the webservers. If it is, STP will detect it.

i found some other resources online and they all pretty much said what you said.

 

[Boscoh]

And if PIX 1 goes down?

PIX 2 will take over as the Active firewall. Failover communication is a constant thing. One pix will know if the other fails for any reason at all.

this is CDW network specialist came up with. he hasnt gotten back to me yet on how it should be configured.......so im still wondernig.

Honestly, I have never seen two PIX in failover mode, each with two network cards connected to the internal LAN via L2 switches. That seems a lot more complicated (and expensive) than it needs to be. If he gives you a configuration, please post it here so I can see how he's telling you to do that.

What I described will work fine.

PIX 1 Fails
Failover - PIX 2 becomes active

PIX 2 Fails
Nothing happens if PIX 1 is active. Failover only occurs when the Active unit fails.

Switch 1 Fails
Internal interface on PIX 1 goes down or stops Rx/Tx traffic. Failover - PIX 2 becomes active.

Switch 2 Fails
Nothing happens if PIX 1 is active.

 

[killerasp]

hey Boscoh. Thanks for helping me a bunch.

I got hardware coming in next week so i will have to try it out for myself.

 

[Boscoh]

Sure. Let us know how it works out.

 

[killerasp]

this is CDW network specialist came up with. he hasnt gotten back to me yet on how it should be configured.......so im still wondernig.

I just talked with the CDW network guy and he said you would configure the second inside network interface with a virtual IP of the primary inside interface.

 

[Boscoh]

It's possible he could be referring to that second internal interface as being the interface he plans on using for LAN-based failover. And that might be what he means by 'virtual ip'. There are three ways you can do failover: Cable-based, LAN-based, and Cable/Ethernet-based.

Cable based failover is done with what is basically an RS-232 cable between the two PIXes. Cable-based is just fine unless the units are far apart, or you want to replicate TCP state information too. The cable limit is 6ft.

With LAN-based and Cable/Ethernet, you need that extra ethernet card. You need it for LAN-based if the units are more than 6ft apart, or if you want to do stateful failover. You cant transfer state over the RS232 cable. Not transferring the state would be like issuing a 'clear xlate' command when the units fail over. So if you dont want that to happen, you have some options:
A) Cable-based for failover, and ethernet for state (you can use a crossover).
B) ethernet for failover AND state, but you have to connect them to a switch. When you address the card, make sure you put them on a subnet that no other devices are using.

Option B might have been what he was illustrating the entire time. Although, the diagram really looks like he was showing two traffic-passing interfaces connected to the LAN on each PIX. The failover link is not going to pass user traffic.

Ask him for a sample config.

Failover in 7.x is quite a bit different. You dont need an extra eth interface in 7.0, you can use the inside interface...although Cisco says it's not recommended. Stateful failover in 7.x also transmits ISAKMP/IPSec SA's...it does not in 6.x.