As long as you guys are discussing failover---- Have you given thought to
using more than one provider at the same time? The networks can and do go
down once in a while. Witness a cut main trunk from a week or two ago from
an unnamed MAJOR provider? Re-routing only overloaded already stressed
circuits and the outage snowballed.
-----Original Message-----
From: Adam Shostack [SMTP:adam_at_homeport.org]
Sent: Tuesday, January 20, 1998 10:00 AM
To: jk_at_stallion.ee
Cc: firewall-wizards_at_nfr.net
Subject: Re: High availability firewalls
You forgot the crossover links. Each firewall machine has 2 network
interfaces per side (inside, outside, dmzside(?).) One interface on a
side plugs into either hub, thus we get a crossbar architecture.
It might also be worth looking at using a non star implementation,
such as thinnet, to remove the hubs from the picture. Always struck
me as a simpler solution, but couldn't sell my customers at the time
on it. You do have the possibility of a transciever failure, but
since those tend to be line powered, there is a lower chance of
failure.
Adam
Jyri Kaljundi wrote:
| So this seems more reliable:
|
| LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2
| | | | |
| ---- router 2 -------- firewall 2 ----
|
| But is it better than the 1st diagram? When router 1 and firewall 2 go
| down, the system will not work anymore, although in diagram 1 it would
| still work.
|
| The question is, how to actually technically to it? On the firewalls
side,
| when firewall 1 goes down, the HA software assigns IP-address and
| MAC-address of firewall 1 to firewall 2. Now how shall I let routers know
| that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and
| how?
|
| Jyri Kaljundi
| jk_at_stallion.ee
| AS Stallion Ltd
| http://www.stallion.ee/
|
|
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Received on Jan 20 1998
Intro
