On 22/08/16 22:34, Gert Doering wrote: > Not if you NAT the IPv4 - the NAT part enforces symmetry. > > Not that I'm a big fan of NAT, but it has its uses :-)
FHRPs aren't just for 'inside' interfaces. You do have to be sure to adjust the priorities of 'inside' and 'outside' interfaces together to maintain your symmetry, but that's not difficult. FHRP also takes care of ARP delays during failover. Presumably some brands of firewall clusters also work on active/passive (i.e. STONITH) failover means, which also happens to be agnostic of any NAT going on, and serves to maintain symmetry. Assuming there's state synchronisation in all cases, of course. Mixing the v4 NAT and IPv6 together isn't as simple, I agree, but the OP seemed very confused as to how routing works without NAT; my point was that it's worth remembering how IPv4 worked without any NAT, before trying to swallow your IPv6 deployment whole. :) -- Tom _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
