Axel Rau schrieb: > Hi all, > > I have a pair of redundant firewalls (obsd 4.6) and a server (fbsd 8.0): > > +---+ +------+ > | | | | > ----+fw1+----------+ +---------+ | > carp0| |carp1 | | em0| | > | | | | | | > +-+-+ +-+-+-+ | | > | | sw | |Server| > +-+-+ +-+-+-+ | fbsd | > | | | | | | > ----+fw2+----------+ +---------+ | > carp0| |carp1 em1| | > | | | | > +---+ DMZ +------+ > > We all know, the switch is the sigle point of failure.
Hi, I would say your Server is __the__ single point of failure (sure the switch is also a spof but normally I'm more worried about servers then switches) guido > Even worse, when it fails the carp0 pair starts flapping, disturbing > other firewall traffic. > So, how to resolve this? > > Trunking would only be possible between 2 boxes, not 3. > Carp on top of trunk? > 2 Carp pairs on the firewalls and 1 pair at the server? > > If I get it right, the physical LAN should look like this: > > +---+ +------+ > | | +-----+ | | > ----+fw1+--------+ sw1 +-------+ | > carp0| +--+ +-+-+-+ em0| | > | | | | | | > +-+-+ | +----+ | | > | | | |Server| > +-+-+ +--|------+ | fbsd | > | | | | | | > | +-----+ +-+-+-+ | | > ----+fw2+--------+ sw2 +-------+ | > carp0| | +-----+ em1| | > +---+ +------+ > > Switches must have Spanning Tree support (RSTP), so I hope a pair of > Netgear GS108T can do this. > > Any proposals highly appreciated, > Axel > --- > axel....@chaos1.de PGP-Key:29E99DD6 +49 151 2300 9283 computing @ > chaos claudius
