Sam, On Jul 6, 2011, at 3:31 AM, Sam Vaughan wrote:
> I should be able to avoid the need for a switch on the upstream side by > getting the ISP to provide me with two links from the rack router, one for > each firewall board. These links would be CARP'd to share one external static > IP. I'd be really careful about this. The rack router may not expect to see the same IP address move between ports, and act funny if it does. Most CARP/pfsync setups put a switch in between the upstream router and the two boxes for this reason. Check with your service provider -- they may just be giving you two drops to a switch, in which case you have other single points of failure in your system already. > My question relates to the third port on each board, making up the CARP'd > internal interface on the DMZ side. How can I avoid plugging these two ports > straight into the same switch, thereby adding a really obvious single point of > failure to the entire setup? While you can use a pair of switches to do switch-level failover, it gets *expensive*. Nortel has the SMLT, DSMLT, and RSMLT protocols. Cisco has something sort of similar with their Virtual Switching System technology. <http://en.wikipedia.org/wiki/Split_Multi-Link_Trunking> Given the relatively high reliability of switches as well as the costs involved, most people don't bother. Of course, if you have the kind of budget that will support things like this... :-) Hope this helps. --Paul [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]