[fw-wiz] Concentrator inside of paired failover firewalls.
smitha at byui.edu
Thu Sep 21 13:44:21 EDT 2006
On Sun, 2006-09-17 at 16:35 -0700, Carson Gaspar wrote:
> There are _zero_ reliable commercial HA solutions that will go insane if
> you use a cross-over cable and they both loose link at the same time.
So, PIX is not a reliable commercial solution then. OK.
> you use 2 switches, and the trunk between them fails, both devices think
> they are "up" (yes, you can use multiple trunks, but you can use multiple
> x-overs as well - keep it apples to apples). If you use a cross-over cable,
> and it fails, both devices think they are "down". Any decent HA system can
> handle both failure modes.
Then PIX is also not a decent HA system. Great.
> If an HA system _can't_ handle both failure
> modes, it's crap and you shouldn't buy it.
PIX (using IP failover) is crap. I get it now.
As a final note, using a crossover cable with a PIX is very stupid. If
you keep the pair in the same room then use the failover cable.
IP-based failover is useful if the PIX pair is geographically separated,
in which case they'd most likely be homed to different switches. Which
was my initial point.
More information about the firewall-wizards