a***n 发帖数: 262 | 1 I am always curious about how big service provider
do this.
Take an example, I have two sites, running BGP with
one service provider at each location. How do you
implement the firewall failover at these two locations?
For Cisco ASA or FWSM, my understanding is that you
have to run ASA/FWSM in transparent mode, and put them
in a failover pair which means these two sites has to
be in HSRP/VRRP for the pass thru VLANs.
Another mode I used in our campus, just stateless
symmetric routing failover. Each ASA/FWSM is standalong except
they have the same firewall rules. No state information
changed and no HSRP/VRRP.
Could Juniper ScreenOS/SRX have better approach?
I would like to have the dynamic routing flexibility with state
information in sync, but do not want these two devices to
use HSRP/VRRP. | z**r 发帖数: 17771 | 2 don't quite understand your question. you want failover within the site or
you want failover cross the sites?
btw, you don't have run the firewall in transparent mode, coz BGP is TCP
based, as long as the 2 BGP routers can reach each other via TCP, then they
are good to go
【在 a***n 的大作中提到】 : I am always curious about how big service provider : do this. : Take an example, I have two sites, running BGP with : one service provider at each location. How do you : implement the firewall failover at these two locations? : For Cisco ASA or FWSM, my understanding is that you : have to run ASA/FWSM in transparent mode, and put them : in a failover pair which means these two sites has to : be in HSRP/VRRP for the pass thru VLANs. : Another mode I used in our campus, just stateless
| m********d 发帖数: 188 | 3 还是那个问题,是在说SP网络呢,还是corp IT网络?
firewall failover cross two remote sites?HA可能比firewall本身的
硬件更不可靠吧? | a***n 发帖数: 262 | 4 Corp IT, but two sites with distance.
Yes, firewall failover cross two remote sites.
【在 m********d 的大作中提到】 : 还是那个问题,是在说SP网络呢,还是corp IT网络? : firewall failover cross two remote sites?HA可能比firewall本身的 : 硬件更不可靠吧?
| a***n 发帖数: 262 | 5 Failover cross the sites.
Yes, I am aware of that. It looks like Cisco people
usually don't think no dynamic routing support
in ASA/FWSM context mode is not a big issue :-)
they
【在 z**r 的大作中提到】 : don't quite understand your question. you want failover within the site or : you want failover cross the sites? : btw, you don't have run the firewall in transparent mode, coz BGP is TCP : based, as long as the 2 BGP routers can reach each other via TCP, then they : are good to go
| m********d 发帖数: 188 | 6 firewall failover across multiple sites, 我能想到的问题有两个:
1,ha会不会比硬件本身更不可靠
2,firewall failover和routing不配合怎么办?
至于整体网络结构有多“创新”,倒不是最重要的了,喜欢就行,呵呵。 |
|