On Sun, Jan 01, 2006 at 12:28:42AM +0000, Karl O. Pinc wrote:
[...]
> Suppose I have 2 firewalls, one failing over to the
> other with carp. (net.inet.carp.preempt=1 on
> both firewalls.) Each has 3 interfaces, internet,
> lan, and dmz. The dmz has, say, a webserver.
> Now to connect the 2 firewalls to the webserver
> an additional switch/hub is required in the physical
> topology.
>
[...]
> If the dmz interfaces go down, then does this
> not shut off all the carp interfaces on both
> firewalls as a group, turning off the parts
> of both firewalls that are still functioning?
[...]
link failures on any physical interface that is used
together with carp lets all carp interfaces to change
their advskew to 240.
This way a backup host with net.inet.carp.preempt=1 and an
advskew lower than 240 can preempt all of the faulty hosts
carp interfaces.
In your scenario, both firewalls would chage their advskew to 240.
But a takeover only happens if one has a lower advskew, not if they
are equal. Therefore you should be just fine. No need for ifstated.
Marco
