Re: HA: pair of firewalls, 2 switches and 1 server

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Reyk Floeter

Subject: Re: HA: pair of firewalls, 2 switches and 1 server

Date: Thursday, May 20, 2010 - 1:07 pm

On Thu, May 20, 2010 at 07:02:23PM +0200, Axel Rau wrote:
quoted text> >>Now the question: Can I put a trunk on top of a carp?
> >
> >you put carp on top of the trunk of course.
> OK.
> Can I have a trunk connected to 2 different switches then?
> 

yes, i did this many times using trunk in failover mode.  this is
actually the main reason why i implemented failover mode: for l2
redundancy.  i even normally use it in combination with VLANs.

to explain it using your artwork:

      +---+                      +------+                                                                                                                                          
      |   |        +-----+       |      |                                                                                                                                          
  ----+fw1+--------+ sw1 +-------+      |                                                                                                                                          
 carp0|   +--+     +-+-+-+    em0|      |                                                                                                                                          
      |   |  |       |           |      |                                                                                                                                          
      +-+-+  |  +----+           |      |                                                                                                                                          
        |    |  |                |Server|                                                                                                                                          
      +-+-+  +--|------+         | fbsd |                                                                                                                                          
      |   |     |      |         |      |                                                                                                                                          
      |   +-----+  +-+-+-+       |      |                                                                                                                                          
  ----+fw2+--------+ sw2 +-------+      |                                                                                                                                          
 carp0|   |        +-----+    em1|      |                                                                                                                                          
      +---+                      +------+                                                                                                                                          

let's assume that fw1 and fw2 are connected with em1 and em2, em1 is
connected to sw1 and em2 is connected to sw2 on each fw.  fbsd server
sits in vlan2, the uplink is in vlan1 connected to the same switches
(you might also have other physical switches for the uplink, which is
also fairly common, which would just require to move vlan1 to another
trunk or physical iface).

the switches don't need any special configuration, no trunks on the
switch and no stacking or similar.  they just need to be in the same
VLANs, so a simple interlink between them is all you need.  failover
mode means that the trunk only uses one active link at a time (the
first trunkport you add and so on) as long as the link is up.  this is
works nicely with any kind of switches, is safe to use and doesn't
cause any loops, address conflicts etc..  i use procurve switches
(now: hp networking e-series), but there is no need for distributed
trunking or tricks like this with failover mode.

fw1# ifconfig em0 up
fw1# ifconfig em1 up
fw1# ifconfig trunk0 trunkport em0 trunkport em1 trunkproto failover up
fw1# ifconfig vlan1 vlandev trunk0 descr UPLINK 10.1.1.2/24
fw1# ifconfig vlan2 vlandev trunk0 descr SERVERLAN 10.1.2.2/24
fw1# ifconfig carp1 vhid 1 carpdev vlan1 10.1.1.1/24
fw1# ifconfig carp2 vhid 2 carpdev vlan2 10.1.2.1/24

fw2# ifconfig em0 up
fw2# ifconfig em1 up
fw2# ifconfig trunk0 trunkport em0 trunkport em1 trunkproto failover up
fw2# ifconfig vlan1 vlandev trunk0 descr UPLINK 10.1.1.3/24
fw2# ifconfig vlan2 vlandev trunk0 descr SERVERLAN 10.1.2.3/24
fw2# ifconfig carp1 vhid 1 carpdev vlan1 advskew 100 10.1.1.1/24
fw2# ifconfig carp2 vhid 2 carpdev vlan2 advskew 100 10.1.2.1/24

and you can also move the pfsync traffic over the same trunk:

fw1# ifconfig vlan240 vlandev trunk0 192.168.240.2/24 up
fw1# ifconfig pfsync0 syncdev vlan240 up

fw2# ifconfig vlan240 vlandev trunk0 192.168.240.3/24 up
fw2# ifconfig pfsync0 syncdev vlan240 up

reyk

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Tue May 18, 5:02 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Guido Tschakert, (Tue May 18, 5:11 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Leonardo Carneiro - ..., (Tue May 18, 5:20 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Tue May 18, 6:32 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Tue May 18, 7:25 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Guido Tschakert, (Tue May 18, 10:59 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Wed May 19, 1:33 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Henning Brauer, (Wed May 19, 3:04 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Thu May 20, 10:02 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Graham Allan, (Thu May 20, 10:18 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Henning Brauer, (Thu May 20, 10:28 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Jussi Peltola, (Thu May 20, 11:00 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Henning Brauer, (Thu May 20, 11:17 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Henning Brauer, (Thu May 20, 11:41 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Thu May 20, 11:41 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Jussi Peltola, (Thu May 20, 11:59 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Graham Allan, (Thu May 20, 12:02 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Reyk Floeter, (Thu May 20, 1:07 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Jussi Peltola, (Thu May 20, 1:31 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Thu May 20, 2:59 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Reyk Floeter, (Thu May 20, 3:22 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Tomoyuki Sakurai, (Thu May 20, 4:53 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Olivier Cherrier, (Thu May 20, 11:01 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Jussi Peltola, (Fri May 21, 1:11 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Fri May 21, 3:55 am)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Sat May 22, 12:41 pm)

Re: HA: pair of firewalls, 2 switches and 1 server, Axel Rau, (Sat May 22, 12:42 pm)