Hijexx wrote: ] Trying to figure out something in a redundant firewall design. ] Two legged firewall design, two of everything. So two ] switches on the internal side of the cluster, two switches on ] the external side as well. Firewalls are running ] active/active. Internal switches are trunked together. ] External switches are trunked together. From top to bottom we ] have: ] ] ExSwitchA ExSwitchB ] ] FirewallA FirewallB ] ] InSwitchA InSwitchB ] ] Question is this: How can you cross connect, for example, the ] external switches so that ExSwitchA touches both FWA & B, and ] ExSwitchB touches both firewalls as well? Reason being if ] ExSwitchA fails, you still want B to throw packets at both ] firewalls. ] ] I'm cooking up a few things in my mind but it gets ugly at ] layer 3. Assume that the firewalls cannot aggregate their ] links. Assume the clustering solution is a multicast software ] load balance solution. Assume OSPF is available. ] ] I'm willing to live with "lose a switch, lose a firewall" and ] just have the firewall be fat enough to cope with the ] bandwidth but as an exercise I'm just trying to think about ] how to handle this. I would get away from active-active in this situation. As Tom points out, unless each FW is sized to handle full load, then you don't really have HA. You could argue that you're trying to save $$ by using active-active, but I think you overspend on trying to concoct a really complex topology to get this to work. Essentially whatever you might be saving by buying 2 bigger FWs gets eaten up in other hardware and administrative time. If you went active-passive, then you can align the switches and FWs up to only go live when there's a failure in the other chain. This is simple to do and trivial administratively. RE: Help, I'm Stuck On Stupid |