Firewall Wizards mailing list archives
Re: High availability
From: Russ Wolfe <rwolfe () hxcorp com>
Date: Tue, 06 Jul 1999 17:39:40 -0400
I can't speak for other solutions, but I can for the Stonebeat HA solution. In the standby configuration (there is also now a load sharing configuration that has both firewalls up) the firewall that is standing by has its internal, external, and any other operative network interfaces down. There is a single network connection between the primary and secondary boxes that carries the heartbeat and other tests that tell the secondary when it must take over. For UNIX systems, the MAC address is configurable for all interfaces, so for all the interfaces involved, you simply assign them the same MAC address. This is accomplished by a configuration file in the /opt/stonebeat/etc directory. Only the heartbeat interfaces are setup under the UNIX operating system (ie have a hostname.le0 file, etc.) and remain up at all times. Having the same mac addresses assigned to the hot and standby interfaces eliminates the arp issues. For example, you have two SPARC 10s with the interfaces configured accordingly Primary Fireall Secondary Firewall Role le0 172.16.1.1 172.16.1.2 heartbeat network unique MACs QFE0 209.28.16.4 209.78.16.4 external interface - same MAC QFE1 10.1.1.1 10.1.1.1 internal interface - same MAC QFE2 208.14.1.2 208.14.1.2 DMZ interface - same MAC Only the le0 interfaces would be configured in the operating system - QFEx interfaces would all be set up under stonebeat config files, and the operating system would be unaware of them until the Stonebeat software brought them up in a switchover. Hope this helps. Russ Wolfe Manager, Information Security Solutions Halifax Coporation
Sandy Green <sand232 () yahoo com> 07/06/99 10:17AM >>>
How does the HA solution work. ie when there is a change over from the primary to secondary, the IP addresses are swapped over to the secondary. which IP addresses are swapped ? the external as well as the internal. or only the external. what about the arp cache ? what about the mapping of MAC address to IP address of the internal IP addresses ? In short I need to understand the working of a HA solution. The white papers in the sites like stonebeat only talk about it superficially. I asked this question in the Checkpoint mail list but did not get a satisfactory answer as yet. thanks _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ! !
Current thread:
- High availability Sandy Green (Jul 06)
- Re: High availability Carric Dooley (Jul 12)
- RE: High availability Andrew J. Luca (Jul 12)
- <Possible follow-ups>
- Re: High availability Russ Wolfe (Jul 08)
- Re: High availability Don Kendrick (Jul 09)