Firewall Wizards mailing list archives

Re: RE: Firewall-1 platforms

From: Barney Wolff <barney () databus com>
Date: Thu, 8 Mar 2001 15:27:07 -0500

Maybe I don't understand, but the picture in the vrrp draft shows
half the inside hosts set to one default router, half to the other.
That's what I'm calling primitive.  Am I missing something?

Barney

On Thu, Mar 08, 2001 at 12:38:42PM -0600, shawn . moyer wrote:



Barney Wolff wrote:


Nokia may or may not support load balancing, but as I read > VRRP, load-balancing support is very primitive - you 
get to > manually configure the default-router IP addresses on the > hosts behind the firewall.  I have no live 
experience with > Stonebeat, but I believe the advertised load-balancing > support is fancier.


Well, yes, if you want to do layer four load balancing (based on stuff
like URL / URI, etc.) you need a true load balancing device or
application. I guess that's what you mean by fancy.

I would generally advocate (for the price / performance level) a box
like F5 or Arrowpoint for something like that if you want the "fancy"
stuff. I'd prefer a hardware solution over a software one, myself. And
there's nothing stopping you from using a device like that for your web
and app servers *behind* the firewall.

For basic load-sharing, though, VRRP does just fine. And when would you
*not* set a default route on your hosts?

In practice, what you do with the Nokia's is:


              [outside network]

                     |
                     |                                                               |

          (( outside Virtual IP ))

                     |
              
(outside interface # 1)  (outside interface # 2) 

                     X        

(inside interface # 1)   (inside interface # 2)

                     |

          ((  inside Virtual IP ))

                     |
                     |

             [internal network]


The outside and inside hosts just see the inside and outside VIP's, and
VRRP does the rest of the work. As with Stonebeat, for all intents and
purpose the two (or more) devices are seen as one logical device. 

Would "primitive" be another way of saying "simple"? That's not always a
bad thing, IMHO.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: RE: Firewall-1 platforms, (continued)
- - Re: RE: Firewall-1 platforms David Lang (Mar 07)
- RE: RE: Firewall-1 platforms Kalat, Andrew (ISS Atlanta) (Mar 06)
  - Re: RE: Firewall-1 platforms Darren Reed (Mar 07)
  - Re: RE: Firewall-1 platforms shawn . moyer (Mar 07)
  - RE: RE: Firewall-1 platforms Joe Ippolito (Mar 07)
- RE: RE: Firewall-1 platforms Chuck Fasching (Mar 07)
- RE: RE: Firewall-1 platforms Kalat, Andrew (ISS Atlanta) (Mar 07)
  - Re: RE: Firewall-1 platforms shawn . moyer (Mar 07)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Re: RE: Firewall-1 platforms shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Re: RE: Firewall-1 platforms shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms Barney Wolff (Mar 09)
    - Message not available
    - Re: Firewall-1 platforms (end of thread, I hope.) shawn . moyer (Mar 09)
    - Re: RE: Firewall-1 platforms hermit1 (Mar 10)
    - Re: RE: Firewall-1 platforms hesselsp (Mar 09)
- Re: RE: Firewall-1 platforms Rob Napholz (Mar 13)