Solution ID: sk22345 Creation Date: 09/08/2003 Revised Date: 04/28/2005 Preferred Product: SecurePlatform No. EtherChannel technology is not supported in SecurePlatform NG with Application Intelligence build R54. Christopher McGill CCSA, CCNA, MCP
________________________________ From: Mailing list for discussion of Firewall-1 on behalf of Jameel Akari Sent: Mon 23/05/2005 19:42 To: [email protected] Subject: Re: [FW-1] Dual Network Cards and Redundancy On Mon, 23 May 2005, Chris McGill wrote: > Two Network cards on the same segment can't share the same IP address as > this causes problems with the switching tables. Can you provide more Not if you just plug them in, no. But there are methods for link aggragation such as Etherchannel (in Cisco parlance) > I've been setting up two systems with secur platform-ha (R55W) which > has both two network quad-cards installed. Is it possible to configure > both network cards with the same IP addresses to provide two points of > access from the network? The idea is that if one connection fails to I'm not sure offhand if SPLAT has it built in, or if the FW modules support it, but you want something like the Linux Ethernet Bonding driver. The end effect looks like this in ifconfig: bond0 Link encap:Ethernet HWaddr 00:90:27:6F:3D:45 inet addr:10.1.1.19 Bcast:10.1.1.255 Mask:255.255.255.0 eth0 Link encap:Ethernet HWaddr 00:90:27:6F:3D:45 inet addr:10.1.1.19 Bcast:10.1.1.255 Mask:255.255.255.0 eth1 Link encap:Ethernet HWaddr 00:90:27:6F:3D:45 inet addr:10.1.1.19 Bcast:10.1.1.255 Mask:255.255.255.0 The actual active interface used to route traffic is "bond0', which is made of two seperate 100Mb NICs. In this case they go to ports on a Nortel switch in "trunked mode" - aka etherchannel on a Cisco. Note that the MACs and IPs are identical. It is up to your switch to sort it out. On some switches you can have each physical link go to a different port; this obviously requires some trunking between switches; I believe a variation of STP is used to steer traffic by MAC address but I don't remember the specifics. > the first quad-card, the network access to the the system starts > automatically networking on the second quad-card. You can do one better and have it load-balance or load share as well. In the example above, a dead link will cause all traffic to switch to the active link in ~100 msec. As I said, this is dependent on what SPLAT and the FW1 modules have built-in support for, but in the general case Linux can do this. Somebody with an up-to-date SPLAT install can verify. (Windows can do this as well; HP/Compaq calls it "teaming" for example.) -- #!/jameel/akari sleep 4800; make clean && make breakfast ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
