Re: [LARTC] failover strategies - failing open vs. failing closed.

From: Yaman Saqqa <abulyomon@gmail.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] failover strategies - failing open vs. failing closed.
Date: Mon, 10 Jan 2005 17:49:21 +0000	[thread overview]
Message-ID: <33bf452f05011009493fe96ec0@mail.gmail.com> (raw)
In-Reply-To: <292B2D5F863ED611BB8B0008021089550315970E@aux.uwm.edu>

OK ... what about syncing connection tracking state tables between the
two routers/fw's, is the ct_sync code from netfilter stable .. has any
one used it on a production environment .. the netfilter-failover
mailing list is pretty dead !

On Thu, 06 Jan 2005 22:16:42 +0000, Jose Luis Araujo
<jlaraujo@mercs.homeip.net> wrote:
> Hi.
> 
> Sorry for the delay. Hope you are still interested in the idea.
> 
> Kelly Jeglum wrote:
> 
> >I'd like to setup a box with 2 NICs as a firewall which will also rate
> >limits outbound traffic.  What happens when/if that box hangs or is
> >rebooted?
> >
> >
> If you are doing NAT or routing, the you need to use VRRPD with two
> machines.
> 
> >I'd like a solution that when there is a failure, traffic can still go
> >through the box even though the firewall and rate limiting functions will no
> >longer be in effect.
> >
> >
> If on the other hand you want just the rate limiting, then you can try
> something. It only has a drawback, the switch that you will use must
> have Vlan and STP.
> 
> The trick is this, you choose three ports, and assign those to, say vlan
> 2, then choose another 3 ports and assign those to vlan 3.
> 
> Enable STP on both Vlan's, increase the portcost on one port on each
> Vlan, and use a crossed cable to link them.
> Connect a port from each Vlan to the bridge/rate limiter.
> Connect the remaining port to your inner router, and to your outer router.
> 
> Now, the idea is, the Vlan will divide the switch virtually, traffic
> from vlan 2 won't go to vlan 3, only if they are physically connected,
> they behave like two switches (witch will also work, provided that the
> switches permit VTP). When everything is working properly, the switch
> will see two links from vlan 2 to vlan 3 and will disable the one with
> the higher cost (the cross cable), then all your traffic will flow
> thought the bridge.
> If the bridge stops,hangs is disconnected, the switch will only see one
> link (the cross cable) and will enable it, bypassing the bridge.
> 
> I have this setup in operation now, and it works great.
> 
> For those wondering, it is using a cisco 2900XL and the fallback time is
> from 30 to 50 seconds.
> 
> Hope it helps
> 
> José Araújo
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

-- 
abulyomon

www.KiLLTHeUPLiNK.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/