Firewall Wizards mailing list archives
Re: High availability
From: Carric Dooley <carric () com2usa com>
Date: Thu, 8 Jul 1999 12:43:15 -0400 (EDT)
Well, then let me give it a try: If you have ever worked with Cisco's HSRP you already know how it works. Firewall "A" and "B" typically have an internal interface, and external interface and (ideally) the state link interface. Now, VRRP works like this. Let's say you have internal addresses ***Private*** FW-A: 192.168.1.2(port1) -> Virtual IP: 192.168.1.1 FW-B: 192.168.1.3(port1) ***Public*** FW-A: 205.1.1.2(port2) -> Virtual IP: 205.1.1.1 FW-B: 205.1.1.3(port2) ***State Link*** FW-A: 10.0.0.1(port3) FW-B: 10.0.0.2(port3) You set port1 to monitor port2 on both firewalls in case of port failure. If one fails they are all shutdown so the unit does not become a "black hole" for network traffic. Now, you set 192.168.1.2 as a virtual router backing up IP 192.168.1.1 and do the same with 192.168.1.3. The name of the virtual router should be the same for both (i.e. Virtual Router 1) Now set 205.1.1.2 and 205.1.1.3 to back up 205.1.1.1 creating your second virtual router (Virtual Router 2). Let's say FW-A is our primary so he gets a router priority of 100 with a delta of 5 for both interfaces (this means if it will change to routing priority of 95 given a failure). One FW-B we set router priority to 99 with delta of 5. What this means is if we lose FW-A, FW-B takes over the virtual IP's (these are the addresses you actually designate as gateways). The IP 192.168.1.1 is our floating internal IP address for our clients to use as their gateway. The same goes for devices in the DMZ on the public side. Their path into the network is 205.1.1.1. I don't think this was as clear as I was planning to make it, but I hope it makes sense. Carric Dooley COM2:Interactive Media http://www.com2usa.com On Tue, 6 Jul 1999, Sandy Green wrote:
How does the HA solution work. ie when there is a change over from the primary to secondary, the IP addresses are swapped over to the secondary. which IP addresses are swapped ? the external as well as the internal. or only the external. what about the arp cache ? what about the mapping of MAC address to IP address of the internal IP addresses ? In short I need to understand the working of a HA solution. The white papers in the sites like stonebeat only talk about it superficially. I asked this question in the Checkpoint mail list but did not get a satisfactory answer as yet. thanks _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- High availability Sandy Green (Jul 06)
- Re: High availability Carric Dooley (Jul 12)
- RE: High availability Andrew J. Luca (Jul 12)
- <Possible follow-ups>
- Re: High availability Russ Wolfe (Jul 08)
- Re: High availability Don Kendrick (Jul 09)