G
Greg Gard
Hi,
Forgive me in advance if I'm asking something that has already been
addressed recently; I went back a ways and didn't find anything specifically
on point.
I have two firewalls in an active/passive failover mode and want to have no
single point of failure in my Internet data center. I have several web
servers and two db servers. My ISP is providing me with two switched
connections with identical IP ranges on each say x.142 - x.155 where x= a
public IP. The firewalls perform NAT so that I have y.142 - y.155 coming out
of the LAN interface on each (y being a local IP, i.e. 192.168.2). The
firewalls need to send a heartbeat across the LAN to determine failover so
they need to be on the same subnet. Additionally, they only have two
interfaces each (1 WAN and 1 LAN).
Now the easy thing would be to just plug both LAN outputs from the firewalls
into one switch and then hook up the servers. Unfortunately, our networking
spec demands no single point of failover, so I need redundant switches etc.
My thinking thus far runs like this:
wan 1 (all public IPs) >> firewall 1 (NAT maps to all local IPs) >> hub 1 >>
switch 1 >> nic 1 on all servers
wan 2 (all public IPs) >> firewall 2 (NAT maps to all local IPs) >> hub 2
This is not as understandable as schematic, but essentially the hubs act as
splitters for the (under-equipped I think) firewalls so that each hub gets
all local IPs and sends all packet to both switches. All servers then get
two NICs (probably with some sort of connection load balancing software).
With this configuration, if the the primary firewall or hub 1 fails then the
heartbeat from the primary firewall is interrupted and the secondary then
takes over sending signals down hub 2 and then on to both switches. More
importantly, if switch one fails, the primary firewall can still send
packets down the pipe through switch two and all secondary nics.
I have searched and searched, but have not found any reasonable
documentation on how to do this. I would really appreciate any ideas.
Servers are all win2k standard servers.
Thanks...gg
Forgive me in advance if I'm asking something that has already been
addressed recently; I went back a ways and didn't find anything specifically
on point.
I have two firewalls in an active/passive failover mode and want to have no
single point of failure in my Internet data center. I have several web
servers and two db servers. My ISP is providing me with two switched
connections with identical IP ranges on each say x.142 - x.155 where x= a
public IP. The firewalls perform NAT so that I have y.142 - y.155 coming out
of the LAN interface on each (y being a local IP, i.e. 192.168.2). The
firewalls need to send a heartbeat across the LAN to determine failover so
they need to be on the same subnet. Additionally, they only have two
interfaces each (1 WAN and 1 LAN).
Now the easy thing would be to just plug both LAN outputs from the firewalls
into one switch and then hook up the servers. Unfortunately, our networking
spec demands no single point of failover, so I need redundant switches etc.
My thinking thus far runs like this:
wan 1 (all public IPs) >> firewall 1 (NAT maps to all local IPs) >> hub 1 >>
switch 1 >> nic 1 on all servers
wan 2 (all public IPs) >> firewall 2 (NAT maps to all local IPs) >> hub 2
This is not as understandable as schematic, but essentially the hubs act as
splitters for the (under-equipped I think) firewalls so that each hub gets
all local IPs and sends all packet to both switches. All servers then get
two NICs (probably with some sort of connection load balancing software).
With this configuration, if the the primary firewall or hub 1 fails then the
heartbeat from the primary firewall is interrupted and the secondary then
takes over sending signals down hub 2 and then on to both switches. More
importantly, if switch one fails, the primary firewall can still send
packets down the pipe through switch two and all secondary nics.
I have searched and searched, but have not found any reasonable
documentation on how to do this. I would really appreciate any ideas.
Servers are all win2k standard servers.
Thanks...gg