Re: [fw-wiz] Concentrator inside of paired failover firewalls.

From: Carson Gaspar <carson@xxxxxxxxxx>
Date: Sun, 17 Sep 2006 16:35:56 -0700

--On Friday, September 15, 2006 9:02 AM -0600 Aaron Smith <smitha@xxxxxxxx>
wrote:

On Thu, 2006-09-14 at 14:55 -0400, Carson Gaspar wrote:

--On Wednesday, September 13, 2006 2:26 PM -0600 Aaron Smith
<smitha@xxxxxxxx> wrote:

Using a crossover cable is not a good idea.

http://marc.theaimsgroup.com/?l=firewall-wizards&m=110633896023171&w=2

Which is exactly the same as a switch failure, and if you can't handle
that, then your product/design is crap.

Unless you are intelligent and home the firewalls to different switches
(as we have done). If both switches fail then you have bigger problems
than firewall failover.

This is FUD.

How, exactly?

There are _zero_ reliable commercial HA solutions that will go insane if
you use a cross-over cable and they both loose link at the same time. If
you use 2 switches, and the trunk between them fails, both devices think
they are "up" (yes, you can use multiple trunks, but you can use multiple
x-overs as well - keep it apples to apples). If you use a cross-over cable,
and it fails, both devices think they are "down". Any decent HA system can
handle both failure modes. If an HA system _can't_ handle both failure
modes, it's crap and you shouldn't buy it.

--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Aaron Smith

References:
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Aaron Smith
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Carson Gaspar
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Aaron Smith

Prev by Date: Re: [fw-wiz] Terminating Secureclient on a private address range
Next by Date: [fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
Previous by thread: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
Next by thread: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
Index(es):
- Date
- Thread

Relevant Pages

Re: handling hsrp connections from isp
... connections, that is definitely a single point of failure. ... pair of switches, which then go to the firewalls, which then go back ... I've got two connections to the same ISP (connected to two of their ...
(comp.dcom.sys.cisco)
Re: Best HA switch setup?
... Approximate time to repair when a failure happens; ... This may require you to tweak protocol parameters ... Switches with multiple CPU ... Is it hot standby or warm standby? ...
(comp.dcom.lans.ethernet)
Re: OK to Hot-Swap Monitor Cable?
... >>> Please answer my question abouts mechanical KVM switches and the complete ... > our first practical failure rather than a theoretically possible one. ... Do you install memory without following grounding directions, ...
(comp.sys.mac.system)
Re: Do X10 modules degrade over time?
... The wipers on the early thumbwheel switches often had to be ... And I recall one module with an unidentified failure. ... half of them the early BSR module wipers. ... I don't recall any real X10 wall switch ...
(comp.home.automation)
Re: Network Failure - No Idea How to Troubleshoot
... Everything fine for 25 days, then bang, network ... > failure again yesterday. ... > switches are unmanaged makes it difficult to troubleshoot. ... One reset in 25 days isn't that horrible, ...
(comp.dcom.lans.ethernet)