Re: RE: Firewall-1 platforms

["shawn . moyer" <shawn () net-connect net>]

Barney Wolff wrote:
> Maybe I don't understand, but the picture in the vrrp draft shows
> half the inside hosts set to one default router, half to the other.
> That's what I'm calling primitive.  Am I missing something?

I suppose you could actually set VRRP up this way, but I've never seen
it done that way in practice. The way I've worked with this with both
Nokia and Foundry gear is to point all boxes to the VIP (or VRID) and
set up failover and load bal. where the other router(s) / firewall(s)
will take over the VIP if the master fails. 

I suppose in the situation described in the RFC, you might do this if
you had two segments and two paths, and wanted to enable failover for
each segment. As I said, I've never seen a situation where this type of
configuration was relevant or necessary. As is often the case, possibly
this was what the originators of the draft had in mind and it was
modified to meet other needs. :) 





--shawn

-- 

s h a w n   m o y e r
shawn () net-connect net

The universe did not invent justice; man did. 
Unfortunately, man must reside in the universe.

                                        -- Zelazny
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards