Hi, I'm hoping someone can help...

I'm working at a university, that currently only has a single gig feed =

to the outside world. In the interests of resilience, we're soon to be =

getting a second feed in, and I was hoping that someone might be able to =

offer some advice on the best way of going about it.

We've currently got two Pix 535's as a failover set, one with an =

unrestricted (UR) license, the other with a failover (FO) only. As the =

new feed is coming into a different site, the failover Pix will be =

moved, and we'll do LAN based failover rather than using a failover cable.

*However*, the educational body supplying the new feed has seen fit to =

provide the second feed in as a separate OSPF instance to the original =

feed. Therefore, each of the two feeds out will have different OSPF =

instances, and different IP addresses. For the sake of arguement (which =

will likely as not prove to be fact anyway), assume that this is set in =

stone, and nothing's going to change it.

So, what I want to know is your thoughts on how best to go about this... =

Is it possible to have to firewalls in a failover set failover as =

normal, but have the failover Pix have a different outside IP address? I =

didn't think that this would be possible, if at all, but especially on a =

box with an FO licence? What about upgrading the licence from FO to UR - =

would that allow it? The best possible solution I've managed to come up =

with so far, is to have two routers (or L3 switches) - just outside each =

of the Pix's - configured for HSRP. If the main link goes down, what I =

would like to happen is for the other router to take over via HSRP, and =

for the firewall pair to failover to the backup. Does that sound feasible?

I hope I'm making sense. Any help is appreciated.

-- =

James Burns

Network Advisor =96 Student & Learning Support
University of Sunderland

-- =

University of Sunderland - life-changing: see our new TV advert at
http://www.lifechangingsunderland.com or http://www.sunderland.ac.uk
firewall-wizards mailing list