Firewall Wizards mailing list archives
Re: High availability
From: Chenggong Charles Fan <fan () rainfinity com>
Date: Sun, 01 Aug 1999 17:15:27 -0700
Hi, I'd like to comment on another way of doing HA, in addition to VRRP way and the Stonebeat same-MAC configuration. It is similar to VRRP, but instead of having one Virtual IP per subnet shared between the firewalls, you can actually have a "pool of virtual IPs" shared between the firewalls. The two firewalls can be active at the same time, thus achieving HA and load-balancing. Let me borrow Carric's example: ***Private*** FW-A: 192.168.1.2(port1) -> Virtual IP: 192.168.1.1, 192.168.1.4, 192.168.1.5 FW-B: 192.168.1.3(port1) ***Public*** FW-A: 205.1.1.2(port2) -> Virtual IP: 205.1.1.1, 205.1.1.4, 205.1.1.5 FW-B: 205.1.1.3(port2) Instead of one Virtual IP, now we have three virtual IPs per subnet being shared by two Firewalls. Those six virtual IPs move between the two firewalls, in order to balance the load between the two firewalls. Gratuitous ARP can be used to update the ARP cache on the routers and clients from both sides. To configure your network using all the Virtual IPs to route the traffic, there are many ways. For example, the router on both side can be configured to route using all three VIPs, with the same weight. The router will then round-robin among the virtual IPs. Or if you are using NAT on the firewall, you can have different set of internal IP address hide behind different external IPs. Or you may use DHCP server to assign internal clients to use different default gateways. Rainwall from Rainfinity is a new product for Check Point FW-1 that does this. (I am an engineer at Rainfinity) One major advantage is that bandwidth is doubled with a two-firewall setup. (We got 130 Mbps going through a two-node Rainwall-FW-1 cluster). Rainwall works for more than two nodes also. For example, in a three-node Rainwall cluster, all three firewalls are sharing the load, and you can lose any two of them, the firewall will still keep going. Hope it helps. Charles Fan Engineer, Rainfinity http://www.rainfinity.com
Current thread:
- Re: High availability Chenggong Charles Fan (Aug 02)
- <Possible follow-ups>
- Re: High availability Chenggong Charles Fan (Aug 03)