Re: [FW1] HA options using physically separated Nokia IP440's

Mon, 24 Jul 2000 08:48:08 -0700 


see below,
-- 
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376


On Mon, 24 Jul 2000 [EMAIL PROTECTED] wrote:

> 
> 
> 
> Hi all.
> 
> There's been quite a lot of traffic here recently about providing HA designs
> for environments using FW-1's based on NT or Unix flavours, either by using
> software based products such as Rainwall or Stonebeat, hardware switches, or the
> basic state sync approach.
> 
> What are the options for HA when using Nokia's?  From what I have seen s/w
> solutions don't cater for the Nokia's, and hardware (and VRRP) solutions are
> fine if the firewalls are in close proximity to each other, but what about two
> Nokia's, one each in each (distant) location - what then are the options for
> providing a reasonable level of fault tolerance?
> 
> Maybe the only option is to have a pair in each location making use of VRRP?
> 

Bingo - that's the best option. For a VIP-based HA solution to be
effective, all your clients need to use a VIP as their gateway. If that
VIP is across a WAN link, performance will go south and your WAN link
(presumably purchased for file and app sharing) will be choked with
Internet traffic. Also, all HA solutions rely on being able to reach other
for status quite rapidly. If the nodes don't hear from each other, each
will assume the other is dead and take appropriate action.

> This has some similarities I guess to the recent thread about dual-homing,
> though this is on a private network rather than having to deal with ISP's.
> 

You'd still have to worry about dual-homing if you wanted Internet
services to work -- unless these are internal firewalls and mail delays
are okay.

> Does anyone have any thoughts?  Our integrator is coming in to discuss the
> options, but forewarned is forearmed...
> 
> Regards
> 
> Simon
> 
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to