Firewall Wizards mailing list archives

Re: Firewall-1 platforms (end of thread, I hope.)

From: "shawn . moyer" <shawn () net-connect net>
Date: Thu, 08 Mar 2001 16:38:51 -0600


Welp, time to eat crow. :)=)

I poked around a bit and found some docs from when I had worked with
this a year ago, and yes, we had another piece in addition to VRRP to
keep both firewalls active.

We used some small Arrowpoint (now Cisco) and / or Foundry L4 switches
to do the additional firewall load balancing work. I knew all those
network guys standing around when I was setting the firewalls up were
doing *something*... :)

In a design without this, Barney and Andrew are correct, you generally
would be doing active / standby only. 


Caveats: 

1. You would not need to set different default routes up on the boxes
that route through the firewalls, just point them to the VIP / VRID.
Still not sure why it's referenced that way in the RFC.

2. This still came out as a more cost-effective solution (if not by
much) for us than the Sun / Stonebeat setup, because of the throughput
on Nokia versus an equivalent Sun setup. We would have had to go with
E250's to get comparable performance (even in active / standby) to an
IP440.

3. There are some references out there to doing this without a
loadbalancer via some crafty uses of BGP4 or another weight-based
routing protocol. Since the Nokia's will talk BGP and OSPF, this could
be an option. The trick there is making sure you don't end up with
assymetric routing.

4. I still don't like Stonebeat. Sorry. :) You could probably still do
this with just load-balancers and shared state between firewalls via
FW-1 HA (sync.conf) stuff, though.



Some more references:

http://www.cisco.com/warp/public/117/fw_load_balancing.html

http://sysadmin.oreilly.com/news/bourke_1100.html






--shawn

-- 

s h a w n   m o y e r
shawn () net-connect net

The universe did not invent justice; man did. 
Unfortunately, man must reside in the universe.

                                        -- Zelazny
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: RE: Firewall-1 platforms, (continued)
- - Re: RE: Firewall-1 platforms shawn . moyer (Mar 07)
  - RE: RE: Firewall-1 platforms Joe Ippolito (Mar 07)
- RE: RE: Firewall-1 platforms Chuck Fasching (Mar 07)
- RE: RE: Firewall-1 platforms Kalat, Andrew (ISS Atlanta) (Mar 07)
  - Re: RE: Firewall-1 platforms shawn . moyer (Mar 07)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Re: RE: Firewall-1 platforms shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Re: RE: Firewall-1 platforms shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Message not available
    - Re: Firewall-1 platforms (end of thread, I hope.) shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms hermit1 (Mar 10)
    - Re: RE: Firewall-1 platforms hesselsp (Mar 09)
- Re: RE: Firewall-1 platforms Rob Napholz (Mar 13)