> In a message dated: Fri, 14 Jul 2000 18:45:09 EDT
> Derek Martin said:
>
> >But, last I'd been paying attention, heartbeat does allow heartbeat over
> >serial and ethernet simultaneously, and Alan (Robertson) was thinking
> >about adding other methods. It's true that shared SCSI is not supported
> >by heartbeat, but that probably doesn't matter much in a firewall scenario
> >since you're not concerned about shared storage.
>
> Well, What if someone is hammering your firewall with a DoS attack and you've
> decided that HeartBeat is enough for you. Unless you've got Heartbeat to work
> over both serial *and* ethernet, you're failover node is likely to think
> that the primary has failed and try to take over.
What makes you think this? Heartbeat specifically states that heartbeat
ethernets should be *dedicated* (as does our documentation, I believe)
which should prevent that scenario, so if you failed miserably to follow
directions and not do that, you deserve what you get...
> It's much better to not have the failover node take over in this case.
> However, if you're only using heartbeat over ethernet, this could be a
> problem.
Not any more so than with our product. Using shared SCSI for quorum is
just silly in this case, when you can use $5 ethernet cards to do the same
thing. You'll need to fork over about $200 for the SCSI adaptor PER
machine (since why on earth would you pay for SCSI in a firewall machine
which does nothing but filter and route packets), plus about $50 for
cables and pass-through terminators AND about another $200 for your shared
SCSI disk and enclosure (which actually sounds cheap for an enclosed SCSI
disk to me -- remember that shared SCSI must be EXTERNAL)... That's about
$650 roughly.
Compare that with the $15 for two cheap ethernet cards and a crossover
cable, and I think heartbeat is the hands-down winner in the cost
department.
> I'd rather have the quorum disk as a mechanism which won't get bogged down if
> the systems ethernet is getting flooded. You don't need to actually use the
> drive for storage, you can just use if for quorum. Granted, it's wasted
> space, with the smallest drives being 9GB now, but you can probably find
> an "old" 1,2,or 4GB disk somewhere :)
It's just not an issue, in the case of a firewall machine. Using shared
SCSI only makes sense if you have shared data. Kimberlite is a great,
reletively inexpensive HA solution, but it's overkill for a redundant
firewall. Based on some of the traffic on the Linux HA list, there are
lots of people running this kind of set-up with heartbeat. It's perfectly
suitable.
> I'd rather be safe than sorry (or paged at 3:00 a.m. :)
I'll agree with you there. &^)
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
