Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Concentrator inside of paired failover firewalls.
From: Aaron Smith <smitha () byui edu>
Date: Thu, 21 Sep 2006 11:44:21 -0600

On Sun, 2006-09-17 at 16:35 -0700, Carson Gaspar wrote:
There are _zero_ reliable commercial HA solutions that will go insane if 
you use a cross-over cable and they both loose link at the same time. 

So, PIX is not a reliable commercial solution then.  OK.

you use 2 switches, and the trunk between them fails, both devices think 
they are "up" (yes, you can use multiple trunks, but you can use multiple 
x-overs as well - keep it apples to apples). If you use a cross-over cable, 
and it fails, both devices think they are "down". Any decent HA system can 
handle both failure modes. 

Then PIX is also not a decent HA system.  Great.

If an HA system _can't_ handle both failure 
modes, it's crap and you shouldn't buy it.

PIX (using IP failover) is crap.  I get it now.

As a final note, using a crossover cable with a PIX is very stupid.  If
you keep the pair in the same room then use the failover cable.
IP-based failover is useful if the PIX pair is geographically separated,
in which case they'd most likely be homed to different switches.  Which
was my initial point.

@@ron Smith
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]