NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Fail over on two Cisco 2948GL3 switches



Makes sense to me.  HSRP, however, is tunable to the millisecond if desired,
such than you can fail over within 1-2sec reliably.  Default HSRP failover
is 10 seconds (after missing 3 hellos at 3 second intervals).

Good luck!

Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc. (formerly employeesavings.com)The work/life solution for corporate thought leaders


-----Original Message-----
From: Goodwin, Russell [mailto:[email protected]]
Sent: Thursday, November 09, 2000 7:43 AM
To: 'Kim Lohse'; [email protected]
Cc: Michael Jorgensen
Subject: RE: [FW1] Fail over on two Cisco 2948GL3 switches



OK,

First, I would not have the external and internal VLANs on the same switch,
If someone can get into your switch they can get past the firewall.
As for the problem, here goes.
I presume that the 2 switches are connected via an ISL trunk (or similar),
This enables them to share spanning tree info. I you want the switch ports
to fail over you will need spanning tree, doing any redundant connections
without it is dangerous (Layer2 loops etc). I suppose for true HA for
internal routers are running HSRP.
The problem you have is that the if a firewall fails but does not lose it's
network connectivity to the switch then the spanning tree will not fail over
(even if Stonebeat does). I think that if you have a cable from each switch
to each firewall then it will work but you will need to have HA Ethernet.
This can be done on the Compaq for sure with the NC3122 cards, you can
cluster 2 ports into a virtual port with a single MAC/IP.
I hope this all makes sense, but we can analyse what will happen in
different scenarios.

1)	Server(FW no1) dies completely.
	Stonebeat will fail the cluster to the other FW (no.2) This will
happen on the same switch.

2)	Switch No.1 dies completly.
	The Internal router using HSRP to monitor the interface see's the
port lose connectivity and switches routers. The traffic then passes over
the other router & switch, which STP having seen the other switch fail will
open the ports to the firewalls. The traffic will pass to the sanme
Firewall.

3)	Cable to FW No1 fails.
	Spanning tree will see the link fail and will bring up the port to
the same firewall on the other switch, traffic will pass across the trunk to
the same FW via the other cable.

I hope this makes sense (and is correct). I haven't done exactly what you
need here but I have done similar with a couple of Cisco 7200 with NAT. One
thing I found though is with all this HA they still had one internet
connection??? Probably the most unrealiable part of the whole setup!??! The
problem I have here is that I am not familiar with the Stonebeat clustering
technology, I think it uses a virtual MAC address but I am not 100%.
Fail over times (from memory) are approx..
1-2 Secs for a failed port to fail over in the server.
20 secs for spanning tree (this can be tuned I think)
30 secs for HSRP on the routers.
Never used Stonebeat so don'e know.

Anyway, hope this helps, let me know if you need more.

Russell Goodwin


-----Original Message-----
From: Kim Lohse [mailto:[email protected]]
Sent: 09 November 2000 13:37
To: [email protected]
Cc: Michael Jorgensen
Subject: [FW1] Fail over on two Cisco 2948GL3 switches



Hey all

Maybe this is more of a Cisco problem, but just in case. I was wondering if
any of you guys have had the same problem and know of a solution.

We have two FW-1-4.1-sp2 on two NT4-sp6a servers with a StoneBeat303 HA fail
over. The internal NICs are connected directly to the same vlan on two Cisco
2948GL3 switches, one firewall on each, and from the vlan we route traffic
to and from our internal net on another vlan on the same switches. The same
goes for the external FW-NICs. They're connected to their own vlan to which
our two Internet routers are also connected. As you can see we're trying to
avoid any SPF.

Unfortunately the fail over doesn't work. The Switch is made, but the
traffic keeps trying to go through the primary switch instead of the
secondary.

We reduced keep alive and TTL to next to nothing on the vlans and we've
disabled spanning tree also.

Strangely enough the fail over sometimes works from the secondary to the
primary firewall, but not every time.

Is this something any of you are familiar with? I'm pretty sure it's at
Cisco problem, but any input will be appreciated.

Sincerely

--------------------------------------------
Kim S. Lohse, CCSA
Security & System Administrator
--------------------------------------------


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.