From: Jose Luis Araujo <jlaraujo@mercs.homeip.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] failover strategies - failing open vs. failing closed.
Date: Thu, 06 Jan 2005 22:16:42 +0000 [thread overview]
Message-ID: <41DDB8CA.2050000@mercs.homeip.net> (raw)
In-Reply-To: <292B2D5F863ED611BB8B0008021089550315970E@aux.uwm.edu>
Hi.
Sorry for the delay. Hope you are still interested in the idea.
Kelly Jeglum wrote:
>I'd like to setup a box with 2 NICs as a firewall which will also rate
>limits outbound traffic. What happens when/if that box hangs or is
>rebooted?
>
>
If you are doing NAT or routing, the you need to use VRRPD with two
machines.
>I'd like a solution that when there is a failure, traffic can still go
>through the box even though the firewall and rate limiting functions will no
>longer be in effect.
>
>
If on the other hand you want just the rate limiting, then you can try
something. It only has a drawback, the switch that you will use must
have Vlan and STP.
The trick is this, you choose three ports, and assign those to, say vlan
2, then choose another 3 ports and assign those to vlan 3.
Enable STP on both Vlan's, increase the portcost on one port on each
Vlan, and use a crossed cable to link them.
Connect a port from each Vlan to the bridge/rate limiter.
Connect the remaining port to your inner router, and to your outer router.
Now, the idea is, the Vlan will divide the switch virtually, traffic
from vlan 2 won't go to vlan 3, only if they are physically connected,
they behave like two switches (witch will also work, provided that the
switches permit VTP). When everything is working properly, the switch
will see two links from vlan 2 to vlan 3 and will disable the one with
the higher cost (the cross cable), then all your traffic will flow
thought the bridge.
If the bridge stops,hangs is disconnected, the switch will only see one
link (the cross cable) and will enable it, bypassing the bridge.
I have this setup in operation now, and it works great.
For those wondering, it is using a cisco 2900XL and the fallback time is
from 30 to 50 seconds.
Hope it helps
José Araújo
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2005-01-06 22:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-28 13:29 [LARTC] failover strategies - failing open vs. failing closed Kelly Jeglum
2004-12-28 14:50 ` Amit Vyas
2004-12-28 17:01 ` Francisco Pereira
2004-12-28 19:28 ` Stef Coene
2005-01-06 22:16 ` Jose Luis Araujo [this message]
2005-01-10 17:49 ` Yaman Saqqa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41DDB8CA.2050000@mercs.homeip.net \
--to=jlaraujo@mercs.homeip.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.