Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: High availability

From: Chenggong Charles Fan <fan () rainfinity com>
Date: Mon, 02 Aug 1999 20:27:07 -0700
I'd like to comment on another way of doing HA, in addition to VRRP way
and the Stonebeat same-MAC configuration.  It is similar to VRRP, but
instead of having one Virtual IP per subnet shared between the
firewalls, you can actually have a "pool of virtual IPs" shared between
the firewalls.  The two firewalls can be active at the same time, thus
achieving HA and load-balancing.

Let me borrow Carric's example:

***Private***
FW-A: 192.168.1.2(port1)
                         -> Virtual IP: 192.168.1.1, 192.168.1.4,
192.168.1.5
FW-B: 192.168.1.3(port1)

***Public***
FW-A: 205.1.1.2(port2)
                         -> Virtual IP: 205.1.1.1, 205.1.1.4, 205.1.1.5
FW-B: 205.1.1.3(port2)

Instead of one Virtual IP, now we have three virtual IPs per subnet
being shared by two Firewalls. Those six virtual IPs move between the
two firewalls, in order to balance the load between the two firewalls.
Gratuitous ARP can be used to update the ARP cache on the routers and
clients from both sides.

To configure your network using all the Virtual IPs to route the
traffic, there are many ways.  For example, the router on both side can
be configured to route using all three VIPs, with the same weight.  The
router will then round-robin among the virtual IPs.  Or if you are using

NAT on the firewall, you can have different set of internal IP address
hide behind different external IPs.  Or you may use DHCP server to
assign internal clients to use different default gateways.

Rainwall from Rainfinity is a product for Check Point FW-1 that does
this.  (I am an engineer at Rainfinity)  One major advantage is that
bandwidth is doubled with a two-firewall setup.  (We got 130 Mbps going
through a two-node Rainwall-FW-1 cluster).   In addition, Rainwall
scales to more than two nodes.  For example, in a three-node Rainwall
cluster, all three firewalls are sharing the load, and you can lose any
two
of them, the firewall will still keep going.

Hope it helps.

Charles Fan
Engineer, Rainfinity
http://www.rainfinity.com
Previous By Date Next
Previous By Thread Next

Current thread: