From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jose Luis Araujo Date: Thu, 06 Jan 2005 22:16:42 +0000 Subject: Re: [LARTC] failover strategies - failing open vs. failing closed. Message-Id: <41DDB8CA.2050000@mercs.homeip.net> List-Id: References: <292B2D5F863ED611BB8B0008021089550315970E@aux.uwm.edu> In-Reply-To: <292B2D5F863ED611BB8B0008021089550315970E@aux.uwm.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hi. Sorry for the delay. Hope you are still interested in the idea. Kelly Jeglum wrote: >I'd like to setup a box with 2 NICs as a firewall which will also rate >limits outbound traffic. What happens when/if that box hangs or is >rebooted? > =20 > If you are doing NAT or routing, the you need to use VRRPD with two=20 machines. >I'd like a solution that when there is a failure, traffic can still go >through the box even though the firewall and rate limiting functions will = no >longer be in effect. =20 > =20 > If on the other hand you want just the rate limiting, then you can try=20 something. It only has a drawback, the switch that you will use must=20 have Vlan and STP. The trick is this, you choose three ports, and assign those to, say vlan=20 2, then choose another 3 ports and assign those to vlan 3. Enable STP on both Vlan's, increase the portcost on one port on each=20 Vlan, and use a crossed cable to link them. Connect a port from each Vlan to the bridge/rate limiter. Connect the remaining port to your inner router, and to your outer router. Now, the idea is, the Vlan will divide the switch virtually, traffic=20 from vlan 2 won't go to vlan 3, only if they are physically connected,=20 they behave like two switches (witch will also work, provided that the=20 switches permit VTP). When everything is working properly, the switch=20 will see two links from vlan 2 to vlan 3 and will disable the one with=20 the higher cost (the cross cable), then all your traffic will flow=20 thought the bridge. If the bridge stops,hangs is disconnected, the switch will only see one=20 link (the cross cable) and will enable it, bypassing the bridge. I have this setup in operation now, and it works great. For those wondering, it is using a cisco 2900XL and the fallback time is=20 from 30 to 50 seconds. Hope it helps Jos=E9 Ara=FAjo _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/