Firewall Wizards mailing list archives
RE: VRRP vs. Stonebeat
From: "Stefan Norberg" <stnor () sweden hp com>
Date: Tue, 21 Mar 2000 19:50:11 +0100
[snip]
To me it is pretty unclear how VRRP determines a box being "dead" to initiate a failover. From what I know Stonebeat is very flexible in implementing failover conditions. To make it more clear let me describe
two
or three scenarious here: 1) Interface goes down Usual failover condition. Both solutions can detect and will fail over.
Now
lets assume the default gateway to the Internet is unreachable from the Firewall but the network interface stays up (e.g. because of the switch
the
box is connected to has a partial failure). With Stonebeat I can ping the default gateway for reachability and in case it is gone independent of the network interface status I can initial failover. How can VRRP handle that
?
VRRP itself cannot handle that fail condition as far as I know. Personally, I'd use some kind of dynamic routing protocol (ie OSPF) or HSRP deal with that.
2) Firewall process dies Can VRRP detect a dead Firewall process ? Here we would have a functional network connectivity, but the firewall processes on the box are gone, the box as a firewall is not operational. From what I know Stonebeat can detect, VRRP not.
A hack would be to run some kind of shell script that monitores the FW-1 processes and if there is a problem tries to restart the firewall software. If that fails - just "ifconfig eth-sXpX down" an interface that is a "monitored circuit" for the VRRP Virtual router, and you should see a fail-over of the Virtual Router.
3) Proxy Server unreachable Same as 1) but instead of the default gateway a proxy in a DMZ is unreachable. How can VRRP detect (remember: interface still alive). I do not know either of the products in detail, so please correct me if
I'm
wrong.
Is this really a condition where you want to fail-over? Hope this helps, Stefan Norberg
Current thread:
- VRRP vs. Stonebeat Oliver_Weismantel (Mar 21)
- RE: VRRP vs. Stonebeat Stefan Norberg (Mar 21)