Firewall Wizards mailing list archives

Re: RE: Firewall-1 platforms

From: "shawn . moyer" <shawn () net-connect net>
Date: Thu, 08 Mar 2001 12:38:42 -0600



Barney Wolff wrote:


Nokia may or may not support load balancing, but as I read > VRRP, load-balancing support is very primitive - you get 
to > manually configure the default-router IP addresses on the > hosts behind the firewall.  I have no live 
experience with > Stonebeat, but I believe the advertised load-balancing > support is fancier.


Well, yes, if you want to do layer four load balancing (based on stuff
like URL / URI, etc.) you need a true load balancing device or
application. I guess that's what you mean by fancy.

I would generally advocate (for the price / performance level) a box
like F5 or Arrowpoint for something like that if you want the "fancy"
stuff. I'd prefer a hardware solution over a software one, myself. And
there's nothing stopping you from using a device like that for your web
and app servers *behind* the firewall.

For basic load-sharing, though, VRRP does just fine. And when would you
*not* set a default route on your hosts?

In practice, what you do with the Nokia's is:


                [outside network]

                       |
                       |                                                               |

            (( outside Virtual IP ))

                       |
                
(outside interface # 1)  (outside interface # 2) 

                       X        

(inside interface # 1)   (inside interface # 2)

                       |

            ((  inside Virtual IP ))

                       |
                       |

               [internal network]


The outside and inside hosts just see the inside and outside VIP's, and
VRRP does the rest of the work. As with Stonebeat, for all intents and
purpose the two (or more) devices are seen as one logical device. 

Would "primitive" be another way of saying "simple"? That's not always a
bad thing, IMHO.



--shawn

-- 

s h a w n   m o y e r
shawn () net-connect net

The universe did not invent justice; man did. 
Unfortunately, man must reside in the universe.

                                        -- Zelazny
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Firewall-1 platforms, (continued)
- RE: Firewall-1 platforms Smith, Gary (SCOTAM) (Mar 06)
  - Re: RE: Firewall-1 platforms David Lang (Mar 07)
- RE: RE: Firewall-1 platforms Kalat, Andrew (ISS Atlanta) (Mar 06)
  - Re: RE: Firewall-1 platforms Darren Reed (Mar 07)
  - Re: RE: Firewall-1 platforms shawn . moyer (Mar 07)
  - RE: RE: Firewall-1 platforms Joe Ippolito (Mar 07)
- RE: RE: Firewall-1 platforms Chuck Fasching (Mar 07)
- RE: RE: Firewall-1 platforms Kalat, Andrew (ISS Atlanta) (Mar 07)
  - Re: RE: Firewall-1 platforms shawn . moyer (Mar 07)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Re: RE: Firewall-1 platforms shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Re: RE: Firewall-1 platforms shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Message not available
    - Re: Firewall-1 platforms (end of thread, I hope.) shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms hermit1 (Mar 10)
    - Re: RE: Firewall-1 platforms hesselsp (Mar 09)
- Re: RE: Firewall-1 platforms Rob Napholz (Mar 13)