Firewall Wizards mailing list archives

Re: High availability

From: Carric Dooley <carric () com2usa com>
Date: Thu, 8 Jul 1999 12:43:15 -0400 (EDT)

Well, then let me give it a try:

If you have ever worked with Cisco's HSRP you already know how it works.
Firewall "A" and "B" typically have an internal interface, and external
interface and (ideally) the state link interface.

Now, VRRP works like this.  Let's say you have internal addresses

***Private***
FW-A: 192.168.1.2(port1)
                         -> Virtual IP: 192.168.1.1
FW-B: 192.168.1.3(port1)

***Public***
FW-A: 205.1.1.2(port2)
                         -> Virtual IP: 205.1.1.1
FW-B: 205.1.1.3(port2)

***State Link***
FW-A: 10.0.0.1(port3)
FW-B: 10.0.0.2(port3)

You set port1 to monitor port2 on both firewalls in case of port failure.
If one fails they are all shutdown so the unit does not become a "black
hole" for network traffic.

Now, you set 192.168.1.2 as a virtual router backing up IP 192.168.1.1 and
do the same with 192.168.1.3.  The name of the virtual router should be
the same for both (i.e. Virtual Router 1)

Now set 205.1.1.2 and 205.1.1.3 to back up 205.1.1.1 creating your second
virtual router (Virtual Router 2).

Let's say FW-A is our primary so he gets a router priority of 100 with a
delta of 5 for both interfaces (this means if it will change to routing
priority of 95 given a failure).  One FW-B we set router priority to 99
with delta of 5.  What this means is if we lose FW-A, FW-B takes over the
virtual IP's (these are the addresses you actually designate as gateways).
The IP 192.168.1.1 is our floating internal IP address for our clients to
use as their gateway.  The same goes for devices in the DMZ on the public
side.  Their path into the network is 205.1.1.1.

I don't think this was as clear as I was planning to make it, but I hope
it makes sense.


Carric Dooley
COM2:Interactive Media
http://www.com2usa.com

On Tue, 6 Jul 1999, Sandy Green wrote:

How does the HA solution work. ie when there is a 
change over from the primary to secondary, the IP 
addresses are swapped over to the secondary.

which IP addresses are swapped ? the external as 
well as the internal. or only the external.
what about the arp cache ? what about the mapping
of MAC address to IP address of the internal IP
addresses ?

In short I need to understand the working of a
HA solution. The white papers in the sites like
stonebeat only talk about it superficially.

I asked this question in the Checkpoint mail list
but did not get a satisfactory answer as yet. 

thanks

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

High availability Sandy Green (Jul 06)
- Re: High availability Carric Dooley (Jul 12)
- RE: High availability Andrew J. Luca (Jul 12)
- <Possible follow-ups>
- Re: High availability Russ Wolfe (Jul 08)
- Re: High availability Don Kendrick (Jul 09)