[resent; my previous post hasn't gotten through in 24 hrs.. ?]
Josh Welch wrote: > > Mikael Olsson wrote: > > Fact: We re-use the same hardware addresses on all interfaces. > > They had figured out that this caused the problems with the switch. > > > > Okay, I\'ll be the ignorant guy. Why do you do this? Keeping in mind I am making > no judgement, merely don\'t know and I find it interesting. Hm sorry, that fact tidbit was somewhat incomplete. This only applies to HA firewalls. For management communication, the unique hardware addresses are still used. However, the shared IP address (the one you should use as gateway, etc) resolves to a third, shared hardware address that moves between the firewalls as they go active/inactive. This way, you get failover just by sending a few packets to trigger MAC/port learning in switches, rather than attempting to update the ARP caches of all attached units with a new hardware address. This shared hardware address is the same on all interfaces, simply because it _should_ _not_ _matter_ as long as the broadcast domains are truly separate. In the aforementioned case, it would seem that the broadcast domain were only "sort of" separate, as long as someone in domain A didn't use a mac address from domain B. Whoops :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
