On 08/15/2012 01:54 AM [email protected] wrote: > What I am thinking for a revised layout is: > Same two feeds from ISP, one to the WAN NIC on primary, other to WAN NIC on > secondary pfSense. > DMZ and LAN NICs on primary to appropriate VLANs primary switch, same on > Seconday to Secondary switch. > Cable from each switch to NIC on each server in appropriate networks(DMZ/LAN). > > My Questions: > I believe that the virtual IP setup will handle failures of the ISP > link/switchports/WAN NIC on the pfSense boxes. > What I am not sure about is how this will effect the spanning tree that ISP > is using and also how to have the primary pfSense box monitor > all of it's internal ports for any failure and kill the wan port causing > the secondary to take over should the primary not be able to > get to any server in any of the internal networks? > > Thanks for any suggestions, RTFM with link to proper document, ... > JohnM
Most likely you want to get your ISP to provide you with an LACP based aggregated link (IEEE 802.3ad) containing the respective uplink ports (may be even more than just the two). Therefore both parties need to support LACP as the protocol. It should also be configured to use short timings making it possible to compensate any link failure within a matter of seconds. Also LACP offers active load sharing (limited, on a per connection/session base depending on the configured hash policy) as well as fail-over functionality. This loop-free approach makes you utilize all uplink ports at the same time without the hassle to maintain a spanning tree. In most data centres switches providing those uplinks are also supposed to automatically shutdown ports in case incoming BPDUs are being detected. This way customers are not given the chance to mess around with the spanning tree. This, in fact, is not just for security reasons but also to keep a customer from bricking their uplink caused by a misconfiguration. HTH Cheers
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
