Josh Welch wrote:
>
> > Fact: We re-use the same hardware addresses on all interfaces.
> > They had figured out that this caused the problems with the switch.
> >
>
> Okay, I\'ll be the ignorant guy. Why do you do this? Keeping in mind I am making
> no judgement, merely don\'t know and I find it interesting.
Hm sorry, that fact tidbit was somewhat incomplete.
This only applies to HA firewalls.
For management communication, the unique hardware addresses are still
used. However, the shared IP address (the one you should use as
gateway) resolves to a third, shared hardware address that moves
between the firewalls as they go active/inactive.
This way, you get failover just by sending a few packets to trigger
MAC/port learning in switches, rather than attempting to update the
ARP caches of all attached units with a new hardware address.
This shared hardware address is the same on all interfaces, simply
because it _should_ _not_ _matter_ as long as the broadcast domains
are truly separate. In the aforementioned case, it would seem that
the broadcast domain were only "sort of" separate, as long as
someone in domain 1 didn't use a mac address from domain 2.
Whoops :)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
Ynlre 8 frphevgl fbyhgvbaf: uggc://yneg.onqs00q.bet
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
