Hi all,

They interexchange packets to inform about the status and checking the
priorities the slave becomes master if is needed.

But here you have another problem to solve.... That VRRP itself as standard
doesn't cover....

Let's imagine:

                                Public IP address      Public IP address
                                 |                             |
                                FW1                             FW2
                                 |                               |
                                Private IP address     Private IP address

Imagine that FW1 is master for both connections public and private, and one
of the connection to a switch fails but the interface is still up... for
example the private one... Then, the FW2 becomes master for the private
connection but not for the public because there is still a connection
properly working in the public side and even tracking the status of the
private interface you see it up....

Then you will have a problem that can be solve forcing the protocol to
change the priority of the links when you don't receive updates from the
slaves or from the master.

Best regards,
        Juan



-----Original Message-----
From: Carmelo Floridia [mailto:[EMAIL PROTECTED]]
Sent: 11 December 2001 18:46
To: SECURITY-BASICS
Subject: R: Firewall in HA: how VRRP works?



Ok but....
when backup become master?
depends on failure of master hardware?
depends on failure of connctivity?
Cerainly depends of the firewall...
...anyone used Nokia with FW-1 or netscreen?
bye
Carmelo



> -----Messaggio originale-----
> Da: Nick [mailto:[EMAIL PROTECTED]]
> Inviato: marted́ 11 dicembre 2001 14.35
> A: Carmelo Floridia
> Cc: SECURITY-BASICS
> Oggetto: Re: Firewall in HA: how VRRP works?
>
>
> OK, in a nutshell...
>
> The 2 devices (in this case FWs) each have their own physical IP
> addresses on each interface.  Each *pair* of interfaces (DMZ, intranet,
> etc...) has one virtual IP address that they both pay attention to.
>
> Which application you are using will determine the method for
> configuring this, but one will be defined as *primary* and one as
> *backup*.  The primary device will answer arp requests for the virtual
> IP address.  The backup sees, but will not respond to arp requests for
> the virtual address that it is monitoring, unless it sees that the
> primary is down.  The VRRP link is how the primary/backup keep tabs on
> health check
>
> Have I forgotten anything?  Anybody else chime in...
>
>
> On Mon, 2001-12-10 at 12:18, Carmelo Floridia wrote:
> > Hi guru,
> > Assume that i have two firewalls in HA,
> > each firewall has 4 interface(internet,intranet, DMZ and VRRP)
> > In which way  can I monitor connectivity between firewall and other 3
> > networks?
> > For example, if the interface of DMZ of the master firewall
> goes down....or
> > goes down the link between master firewall and DMZ....how the
> backup take
> > the control?
> > best regards
> > Carmelo
> >
> --
> Nick
> Network Security Consultant
> CISSP, CCSI, MCSE, CCNA
> Lucent Technologies/NPS
> Raleigh, NC
>
>  _________________________________________________________ Do You
> Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
>

Reply via email to