| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Multiple internal interfaces
- To: [email protected]
- Subject: Re: [FW-1] Multiple internal interfaces
- From: Kevin Martin <[email protected]>
- Date: Thu, 7 Mar 2002 07:39:06 -0600
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcHF02NaiSs4HBB1QUitjpVqAwh3/gACQ8Dg
- Thread-topic: Re: [FW-1] Multiple internal interfaces
Lars,
You are correct, it does indeed (typically) work. However, it can be
difficult to debug problems if you forget that traffic for a connection
is using multiple interfaces. You sit and wonder why you never see any
replies to a connection until you slap your forehead and snoop the other
interface. It can also be interesting with your switching
infrastructure to have traffic flowing in and out of multiple interfaces
to the same machine (maintaining different mac addresses on the
different interfaces is critical in this case). Also, in your case the
2 interfaces were on completely different address spaces if I'm not
mistaken (being different ISP's and all unless the customer owned it's
own space and was just moving it over). Anyway, as you said, it can and
is done, there are just some extra challenges involved.
Regards,
Kevin Martin [email protected]
Chicago, IL 60604 TEL230 S. LaSalle, Ste. 688
-----Original Message-----
From: Lars Troen [mailto:[email protected]]
Sent: Thursday, March 07, 2002 6:04 AM
To: [email protected]
Subject: Re: [FW-1] Multiple internal interfaces
> From: Reed Mohn, Anders
<snip>
Why not? I once had such a setup on a Nokia box, as a customer changed
ISP and we had both lines connected (one at the v35 interface and one at
an ethernet interface) for a limited period to make the rollover go
smoothly. The anti spoofing config during that period of time might not
have been the best (don't remember), but atleast the routing worked well
avoiding unneeded downtime.
We could access services on both new and old addresses and as the
request packets came from the two different interfaces the packets where
leaving the firewall the firewall in the def gw direction (the new and
faster line).
After a few days nearly all requests were coming through the new line
and we disconnected the old one.
Lars
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
