there are better ways to do this stuff and we should have more 'protocols' involved that "sense" the various links and their connectivity but what we have seems to work just fine. We do have some issues with the WAN connections failing over properly. for example if the wan1 (primary) fails. since the switches are trunked together fw1 (primary) should normally attempt to use wan2 but it doesn't seem to work properly. we're in a co-location center so the wan connections aren't really different providers just different physical links into the centers switches. It sounds ARP related to me but didn't have much of a chance to test it.
We also probably could have used vlan tagging and not done multiple connections between the firewall and switch. That would have left us some room to connect the firewalls to both switches to guard against a trunk port failure. One piece of advice I can offer is avoid Dell switches, they are junk. -Matt On Tue, 2005-12-13 at 11:35 -0500, Scott Ullrich wrote: > Fancy. Have to say that I haven't experimented with multiple > switches as of yet. > > Good to know! > > > On 12/13/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > > we use the same switch for everything and have it broken into untagged > > vlans which simulate breaking the switch up into smaller switches. we > > have two switches total with the same configuration and one port on each > > is configured as a trunk (the switches are connected to one another). > > All servers have a connection to switch A and a connection to switch B. > > The servers are running an ethernet bonding driver which only allows one > > active interface. We have two pfsense firewalls with a pfsync interface > > between them. Firewall A is connected to switch A and firewall B is > > connected to switch B. > > > > http://www.nocturnal.org/quickexample.gif > > > > hopefully self explanatory .. just keep in mind that i have multiple > > connections between the switches and firewalls and do route the > > different "physical" switch segments through the firewall. > > > > On Tue, 2005-12-13 at 01:00 -0800, Kevin Steger wrote: > > > Hello, > > > > > > I have looked at the tutorial on the site for setting up redundant > > > firewalls > > > and I have a question. In the architecture on the first slide of the > > > tutorial there is a single switch connecting the firewalls to the > > > internet, > > > and a single switch connecting them to the lan. I'm sure that this is > > > done > > > to simplify the example, but does there exist anywhere an example > > > using > > > redunant switching hardware as well? I have 2 database machines I'm > > > dropping in a colo and I want redundant firewalling and IpSec VPN. > > > > > > Thanks much. > > > > > > -- > > > Kevin > > > >
