Axel Rau wrote:
Hi all,
I have a pair of redundant firewalls (obsd 4.6) and a server (fbsd 8.0):
+---+ +------+
| | | |
----+fw1+----------+ +---------+ |
carp0| |carp1 | | em0| |
| | | | | |
+-+-+ +-+-+-+ | |
| | sw | |Server|
+-+-+ +-+-+-+ | fbsd |
| | | | | |
----+fw2+----------+ +---------+ |
carp0| |carp1 em1| |
| | | |
+---+ DMZ +------+
We all know, the switch is the sigle point of failure.
Even worse, when it fails the carp0 pair starts flapping, disturbing
other firewall traffic.
So, how to resolve this?
Trunking would only be possible between 2 boxes, not 3.
Carp on top of trunk?
2 Carp pairs on the firewalls and 1 pair at the server?
If I get it right, the physical LAN should look like this:
+---+ +------+
| | +-----+ | |
----+fw1+--------+ sw1 +-------+ |
carp0| +--+ +-+-+-+ em0| |
| | | | | |
+-+-+ | +----+ | |
| | | |Server|
+-+-+ +--|------+ | fbsd |
| | | | | |
| +-----+ +-+-+-+ | |
----+fw2+--------+ sw2 +-------+ |
carp0| | +-----+ em1| |
+---+ +------+
Switches must have Spanning Tree support (RSTP), so I hope a pair of
Netgear GS108T can do this.
Any proposals highly appreciated,
Axel
---
[email protected] PGP-Key:29E99DD6 +49 151 2300 9283 computing @
chaos claudius
IMHO, the second scenario you draw solves the problem in a very elegant
way. Beside, STP and RSTP-enabled switches are becoming less expansive
in the last years.
Best regards.
