[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Fail over on two Cisco 2948GL3 switches
Makes sense to me. HSRP, however, is tunable to the millisecond if desired, such than you can fail over within 1-2sec reliably. Default HSRP failover is 10 seconds (after missing 3 hellos at 3 second intervals). Good luck! Dan Hitchcock CCNA, MCSE Network Engineer Xylo, Inc. (formerly employeesavings.com)The work/life solution for corporate thought leaders -----Original Message----- From: Goodwin, Russell [mailto:[email protected]] Sent: Thursday, November 09, 2000 7:43 AM To: 'Kim Lohse'; [email protected] Cc: Michael Jorgensen Subject: RE: [FW1] Fail over on two Cisco 2948GL3 switches OK, First, I would not have the external and internal VLANs on the same switch, If someone can get into your switch they can get past the firewall. As for the problem, here goes. I presume that the 2 switches are connected via an ISL trunk (or similar), This enables them to share spanning tree info. I you want the switch ports to fail over you will need spanning tree, doing any redundant connections without it is dangerous (Layer2 loops etc). I suppose for true HA for internal routers are running HSRP. The problem you have is that the if a firewall fails but does not lose it's network connectivity to the switch then the spanning tree will not fail over (even if Stonebeat does). I think that if you have a cable from each switch to each firewall then it will work but you will need to have HA Ethernet. This can be done on the Compaq for sure with the NC3122 cards, you can cluster 2 ports into a virtual port with a single MAC/IP. I hope this all makes sense, but we can analyse what will happen in different scenarios. 1) Server(FW no1) dies completely. Stonebeat will fail the cluster to the other FW (no.2) This will happen on the same switch. 2) Switch No.1 dies completly. The Internal router using HSRP to monitor the interface see's the port lose connectivity and switches routers. The traffic then passes over the other router & switch, which STP having seen the other switch fail will open the ports to the firewalls. The traffic will pass to the sanme Firewall. 3) Cable to FW No1 fails. Spanning tree will see the link fail and will bring up the port to the same firewall on the other switch, traffic will pass across the trunk to the same FW via the other cable. I hope this makes sense (and is correct). I haven't done exactly what you need here but I have done similar with a couple of Cisco 7200 with NAT. One thing I found though is with all this HA they still had one internet connection??? Probably the most unrealiable part of the whole setup!??! The problem I have here is that I am not familiar with the Stonebeat clustering technology, I think it uses a virtual MAC address but I am not 100%. Fail over times (from memory) are approx.. 1-2 Secs for a failed port to fail over in the server. 20 secs for spanning tree (this can be tuned I think) 30 secs for HSRP on the routers. Never used Stonebeat so don'e know. Anyway, hope this helps, let me know if you need more. Russell Goodwin -----Original Message----- From: Kim Lohse [mailto:[email protected]] Sent: 09 November 2000 13:37 To: [email protected] Cc: Michael Jorgensen Subject: [FW1] Fail over on two Cisco 2948GL3 switches Hey all Maybe this is more of a Cisco problem, but just in case. I was wondering if any of you guys have had the same problem and know of a solution. We have two FW-1-4.1-sp2 on two NT4-sp6a servers with a StoneBeat303 HA fail over. The internal NICs are connected directly to the same vlan on two Cisco 2948GL3 switches, one firewall on each, and from the vlan we route traffic to and from our internal net on another vlan on the same switches. The same goes for the external FW-NICs. They're connected to their own vlan to which our two Internet routers are also connected. As you can see we're trying to avoid any SPF. Unfortunately the fail over doesn't work. The Switch is made, but the traffic keeps trying to go through the primary switch instead of the secondary. We reduced keep alive and TTL to next to nothing on the vlans and we've disabled spanning tree also. Strangely enough the fail over sometimes works from the secondary to the primary firewall, but not every time. Is this something any of you are familiar with? I'm pretty sure it's at Cisco problem, but any input will be appreciated. Sincerely -------------------------------------------- Kim S. Lohse, CCSA Security & System Administrator -------------------------------------------- ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|