On 2011-07-06, Sam Vaughan <samjvaug...@gmail.com> wrote: > I should be able to avoid the need for a switch on the upstream side by > getting the ISP to provide me with two links from the rack router, one for > each firewall board. These links would be CARP'd to share one external static > IP.
For carp to work these two interfaces need to be able to see each other (L2). On separate router interfaces (rather than switchports) this won't be the case. This is probably the side you need to think about more.. > My question relates to the third port on each board, making up the CARP'd > internal interface on the DMZ side. How can I avoid plugging these two ports > straight into the same switch, thereby adding a really obvious single point of > failure to the entire setup? > > I can see a couple of options but I'm thinking I must be missing something > obvious. Simplest way is probably: one firewall to one switch, one to a second switch, crossconnect the switches, connect servers to both switches with a failover trunk.
