On Thu, 13 Jul 2000, Paul Lussier wrote:
> This is the way things are usually done with LVS, though I don't see why you
> couldn't do:
>
> I
> ------
> | R |
> ------
> |
> |
> ------------- -------------
> | Firewall | | Failover FW |
> ------------- -------------
> |
> --------------
> Internal LAN
>
> You'd have 3 IP addresses involved:
>
> 1. The Virtual IP that gets arped to the router
> 2. The Real IP of the Active FW
> 3. The Real IP of the Passive/Failover FW
>
> In the case of the primary failing, the secondary should take over, and
> provide a gratuitous arp to the router advertising the Virtual IP of the
> firewall.
>
> I can't see any reason why this wouldn't work. I've done similar things here
> using LVS, just not for firewalls.
>
Yea, that's what I was trying to describe as possible in the paragraph
below. I just had a hard enough time doing the 1st picture. The only
issue would be if you're doing any kind of logging on the firewall,
although I suppose (I haven't set up LVS, don't know if it can do
this) you could do the logging to something on the internal LAN, so
when the 1st FW failed, the 2nd could pick it up, & keep logging. Or,
you just accept that you could lose your log on the primary firewall
if it goes down, and use the log on the second one.
jeff
------------------------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] phone:603.930.9379 fax:978.446.9470
------------------------------------------------------------------------
Thought for today: He who steps on others to reach the top has good balance.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
