-----BEGIN PGP SIGNED MESSAGE-----
the problem with changing the MAC address is that if you have the machines
connected to an ethernet switch, you now have the problem of timeing out
the MAC address table on the switch, and unlike the ARP table there is NO
standard way to do this.
As for the routing issue, I don't understand how this will work (I have
been (un)lucky enough that up until a month or so ago everything I have
been doing has been with static routes so I am a beginner in this area).
How would you use a routing protocol to switch from one machine to another
for a given IP address?`
David Lang
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
On Thu, 21 Jan 1999, Schaar, Norbert wrote:
> Date: Thu, 21 Jan 1999 18:23:58 +0100
> From: "Schaar, Norbert" <[EMAIL PROTECTED]>
> To: 'David Lang' <[EMAIL PROTECTED]>,
"Schaar, Norbert" <[EMAIL PROTECTED]>
> Cc: rich <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: Resonate and Pix
>
> I've got your point. Two ways come to my mind:
>
> 1. Two servers running in parallel. There you have two IP addresses/MAC
> addresses known by PIX. But for this approach the highav needs load
> balancing through dynamic routing (ospf would be an excellent choince).
>
> 2. Two server using any proprietary hot standby, which provides a pseudo (or
> virtual) MAC address to the PIX, so that take over from one server to the
> other is not perceived by the PIX.
>
> Sure the alternative is to drop PIX.:-)
>
> Regards
>
> Norbert Schaar
> Firewall Team - Network Security Services
> Dresdner Global IT Services - DreGIS
> Dresdner Bank AG
>
> -----Original Message-----
> From: David Lang [mailto:[EMAIL PROTECTED]]
> Sent: Mittwoch, 20. Januar 1999 20:02
> To: Schaar, Norbert
> Cc: rich; [EMAIL PROTECTED]
> Subject: RE: Resonate and Pix
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> A Cisco Router will accept new ARP info before the old info ages out. The
> issue that started this thread was the Resonate load balancing/ failover
> software, part of it's funcionality allows for one machine to take over IP
> addresses from another. This works with Sun, Linux, BSD*, AIX, HP, ..
> machines and Cisco, 3com, ... routers but not with the PIX.
>
> In this case reducing the ARP timeout is not nearly as good a solution
> becouse with the gratuitus ARP failover can happen in 5 sec or less of a
> machine going down, if you set the ARP timeout to such a low value you
> will have far to many ARP broadcasts on your network.
>
> David Lang
>
> "If users are made to understand that the system administrator's job is to
> make computers run, and not to make them happy, they can, in fact, be made
> happy most of the time. If users are allowed to believe that the system
> administrator's job is to make them happy, they can, in fact, never be made
> happy."
> - -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA
> '97)
>
> On Wed, 20 Jan 1999, Schaar, Norbert wrote:
>
> > Date: Wed, 20 Jan 1999 16:14:28 +0100
> > From: "Schaar, Norbert" <[EMAIL PROTECTED]>
> > To: 'David Lang' <[EMAIL PROTECTED]>,
> "Schaar, Norbert" <[EMAIL PROTECTED]>
> > Cc: rich <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > Subject: RE: Resonate and Pix
> >
> > That's right, PIX ignores new MAC addresse until the entry in its ARP
> table
> > ages out. From this point of time when the entry has been gone PIX will
> > accept new ARP broadcast announcements and advertises and updates its
> table.
> > So it's very important to reduce the value of PIX arp timeout or manually
> > delete the table through "clear arp".
> >
> > By the way, any networking device does have such featur, for example SUN
> > SPARC's timeout is per default 300 seconds. so, it needs always some
> minutes
> > if your changed card or (in highav) your new machine will be able to send
> > and receive packets.
> > Possible that PIX is more stringent in ignoring some stuff on the wire,
> > because it's nature as firewall. But you can discover same behavior for
> any
> > Cisco router and SUN Sparc server.
> >
> > Anyhow, try it out with PIX and you will see it works.
> >
> > Kindly regards
> >
> > Norbert Schaar
> > Firewall Team - Network Security Services
> > Dresdner Global IT Services - DreGIS
> > Dresdner Bank AG
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNqd/5j7msCGEppcbAQHJvgf/bmCSGdNJNa0twWp01VE4wJP1QzS5u9I6
va34ArbCjBqb5oKRWKYlMF4t3rffqo0Us7PqEpy72sFHI7DfNuA8UK0rVmwWnGmC
G2h6t8fZbX6AYoi6waYIm5O+NiCvsp7DOD+rILR9tdzJGDokFqM1Fo9XKo7YBwjg
mVqsz7IOtiFwJ8VRGrsctKDwt5nO6aNF3iqvXFzkkHmYo5OFbpaW6NE3iDxn51w6
DSezpXECZEdm43p9RX/r09uCMB/r6uKyOmXwNwRFdjhYiyHXdygBHdnZQCu2coLa
4pBxkBfWSK1Yj52DKvmUZaw2kzHwA3HMxXthqezrj9E7JS4jZaKAIg==
=Oe3K
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
