[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FW-1 Load Balancing and Redundancy Solution.... (Interesting)

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] FW-1 Load Balancing and Redundancy Solution.... (Interesting)
From: James Alan Conner <james.conner@qxl.com>
Date: Fri, 5 Nov 1999 15:15:24 -0000


Dear Mailing List Guys,

Quite an interesting on here. Not sure if I can explain it well enough here
to do justice to the problem. It's all about routing and ProxyArp at the end
of the day.

I have come accross a product which offers load balancing accross multiple
servers. The product in question is the HyperFlow2 Switch from HolonTech.
See (http://www.holontech.com/products/whitepapers/hardware_clusters.html)
for more information. This product, in addition to many other clever
features offers `Router Fault Tolerance` through it's use of router pools.
(See P.15 of the PDF, or look the HTML link above). These boxes  will
monitor the IRDP (Router Discovery) multicast broadcasts made by the routers
to ensure that the router is alive, and fail over to an alternative router
(by rewiting MAC addresses) if necessary. (This is all really quite cool,
and involves a lot of Y shaped network cables).

Time for some ASCII artwork..........

A) Recommended solution

				Internet
			           /	\
		Backup           /		 \8Meg
		___________ /		_\__________
		| Router A    |-----------------| Router B    |
		|__________|		|__________|
			|\_____________  ____/|           <-- Y Shaped
Ethernet Cables attach Firewall A and B to both Hyperflows
		_______|__/__		_\_____|____
		| Hyperflow-A |---------------| Hyperflow-B |
		|___________|		|___________|
			| \____________  ____/ |           <-- Y Shaped
Ethernet Cables attach both Hyperflows to Both Servers
		_______|__/__		_\_____|____
		| Server-A      |---------------| Server-B      |
		|___________|		|___________|


B) What I want to do!

				Internet
			           /	\
		Backup           /		 \8Meg
		___________ /		_\__________
		| Router A    |-----------------| Router B    |
		|__________|		|__________|
			|			|
		_______|____		_______|____
		| Firewall-A    |		| Firewall-B    |
		|___________|		|___________|
			|\_____________  ____/|           <-- Y Shaped
Ethernet Cables attach Firewall A and B to both Hyperflows
		_______|__/__		_\_____|____
		| Hyperflow-A |---------------| Hyperflow-B |
		|___________|		|___________|
			| \____________  ____/ |           <-- Y Shaped
Ethernet Cables attach both Hyperflows to Both Servers
		_______|__/__		_\_____|____
		| Server-A      |---------------| Server-B      |
		|___________|		|___________|

So, my questions are as follows.

A) Will firewall-1 allow multicast traffic to pass, so that IDRP will work.
(Presumably Yes)
B) IRDP presumable advertises IP address rather than MAC. If this is the
case, then we'll need to publish RouterB as FW-B's internal MAC for the
Hyperflow to see it. However, we're now in a situation where the IP address
of the router will be on the same subnet as the Servers/Hyperflows, but the
router must route this subnet via FWs in order to talk to the Servers. To
solve this, we must(?) publish MAC addresses for the servers on the internet
facing interface of the FWs. Can firewall-1 deal with this situation? 
C) Anyone got any better ideas.

Cheers.

James Conner

	

	

		



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Routing on firewalls
Next by Date: Re: [FW1] Address Ranges & Address Redirection
Prev by thread: Re: [FW1] Routing on firewalls
Next by thread: [FW1] anybody have ICQ working properly?
Index(es):
- Date
- Thread