* Tim Pushor <[EMAIL PROTECTED]> [2006-08-04 22:49]:
> Hi Joachim,
>
> Joachim Schipper wrote:
> >On Thu, Aug 03, 2006 at 02:26:40PM -0600, Tim Pushor wrote:
> >
> >>Well, after playing a little with trunk(4), etherchannel, and carp I am
> >>wondering something:
> >>
> >>Trying to achieve both firewall redundancy (via carp) and ethernet
> >>redundancy (via trunk(4)), would it be possible and (and maybe even
> >>recommended) to have firewall-1 connected solely to switch-1 and
> >>firewall-2 connected solely to switch-2, forgo the trunk(4), and just
> >>use carp to detect if either of the switches has failed, and fail over
> >>to the other switch/firewall combo?
> >>
> >>Am I making sense?
> >>
> >
> >I'm not entirely sure what you intend to achieve, but carp doesn't cross
> >switches (it works on the local Ethernet segment).
> >
> Really? I guess I don't understand enough about how carp works. I didn't
> see that as a limitation in any documentation that I read. Why exactly
> is this?
of course carp crosses switches just fine.
using a "left - right" approach is fine, that is what I am doing.
pretty much sth like
outside links
\ | |
switch ------ switch
| |
core1 core2
| |
switch ------ switch
| |
fw1-----------fw2
| pfsync |
| |
switch ------ switch
| |
inside LAN
in my case there's more firewalls than this pair, that's the main
reason why core routers and firewalls are seperate. combining them is
completely fine usually (and we do that in other locations).
using this approach, pretty much any device can fail without causing
downtime. adding trunk adds complexity, and new failure opportunities,
so I doubt it helps in this particular case. it has its uses, tho.
--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
