05-29-2003 06:18 PM - edited 03-02-2019 07:45 AM
The problem I got is I need to give my switches a lobotomy.
The redundant firewalls we use need to be connected by hubs. They cannot use switches because of the MAC tricks they do. The problem is for redundancy you need two for each firewall arm so you can quickly build up a mountain of small 5-port hubs that sit between the switches and the firewalls.
Idealy, I like to configure my switches in some way so that I could create a VLAN which had ports that acted like hub ports. In other words flood every port in the VLAN no matter what the bridge MAC table says. The other VLANs need to act just like they do now.
So currently it looks like this
router-switch-hub-firewall-hub-switch
router-switch-hub-firewall-hub-switch
(cannot show links because the site doesn't like my ascii art)
There is crosslinks between the top and bottom switches and hubs.
I'd probably need to make a small cross-over cable on the switch from the switched VLAN to the hub VLAN but that's ok The idea is to replace the 4 hubs with some sort of strange VLAN.
Thanks!
05-29-2003 07:03 PM
This isn't possible on Cisco switches to my knowledge. I recently switched HA daemons on our BSD firewalls for precisely this reason -- using hubs to acheive firewall redundancy is, in my opinion, highly suboptimal.
05-29-2003 10:46 PM
If you have only two firewalls to worry about then have you considered using a cross-over cable to connect the two firewall arms? For the firewall connections that needs to be connect to the enterprise network, use a hub just like you mentioned in the scenario.
07-02-2003 09:36 AM
Bit late with a reply but I hope it helps.
I have seen problems with HA firewalls or more accurately clustered servers. This is were a number of servers appear to outside devices as 1 entity and do this by having a common IP address and MAC address. It is this that causes the problems with the switches.
Have a look at these documents on Stonesoft's site which cover IOS and CatOS switches.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide