I've got your point. Two ways come to my mind:
1. Two servers running in parallel. There you have two IP addresses/MAC
addresses known by PIX. But for this approach the highav needs load
balancing through dynamic routing (ospf would be an excellent choince).
2. Two server using any proprietary hot standby, which provides a pseudo (or
virtual) MAC address to the PIX, so that take over from one server to the
other is not perceived by the PIX.
Sure the alternative is to drop PIX.:-)
Regards
Norbert Schaar
Firewall Team - Network Security Services
Dresdner Global IT Services - DreGIS
Dresdner Bank AG
-----Original Message-----
From: David Lang [mailto:[EMAIL PROTECTED]]
Sent: Mittwoch, 20. Januar 1999 20:02
To: Schaar, Norbert
Cc: rich; [EMAIL PROTECTED]
Subject: RE: Resonate and Pix
-----BEGIN PGP SIGNED MESSAGE-----
A Cisco Router will accept new ARP info before the old info ages out. The
issue that started this thread was the Resonate load balancing/ failover
software, part of it's funcionality allows for one machine to take over IP
addresses from another. This works with Sun, Linux, BSD*, AIX, HP, ..
machines and Cisco, 3com, ... routers but not with the PIX.
In this case reducing the ARP timeout is not nearly as good a solution
becouse with the gratuitus ARP failover can happen in 5 sec or less of a
machine going down, if you set the ARP timeout to such a low value you
will have far to many ARP broadcasts on your network.
David Lang
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA
'97)
On Wed, 20 Jan 1999, Schaar, Norbert wrote:
> Date: Wed, 20 Jan 1999 16:14:28 +0100
> From: "Schaar, Norbert" <[EMAIL PROTECTED]>
> To: 'David Lang' <[EMAIL PROTECTED]>,
"Schaar, Norbert" <[EMAIL PROTECTED]>
> Cc: rich <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: Resonate and Pix
>
> That's right, PIX ignores new MAC addresse until the entry in its ARP
table
> ages out. From this point of time when the entry has been gone PIX will
> accept new ARP broadcast announcements and advertises and updates its
table.
> So it's very important to reduce the value of PIX arp timeout or manually
> delete the table through "clear arp".
>
> By the way, any networking device does have such featur, for example SUN
> SPARC's timeout is per default 300 seconds. so, it needs always some
minutes
> if your changed card or (in highav) your new machine will be able to send
> and receive packets.
> Possible that PIX is more stringent in ignoring some stuff on the wire,
> because it's nature as firewall. But you can discover same behavior for
any
> Cisco router and SUN Sparc server.
>
> Anyhow, try it out with PIX and you will see it works.
>
> Kindly regards
>
> Norbert Schaar
> Firewall Team - Network Security Services
> Dresdner Global IT Services - DreGIS
> Dresdner Bank AG
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
