The problem I got is I need to give my switches a lobotomy.
The redundant firewalls we use need to be connected by hubs. They cannot use switches because of the MAC tricks they do. The problem is for redundancy you need two for each firewall arm so you can quickly build up a mountain of small 5-port hubs that sit between the switches and the firewalls.
Idealy, I like to configure my switches in some way so that I could create a VLAN which had ports that acted like hub ports. In other words flood every port in the VLAN no matter what the bridge MAC table says. The other VLANs need to act just like they do now.
So currently it looks like this
(cannot show links because the site doesn't like my ascii art)
There is crosslinks between the top and bottom switches and hubs.
I'd probably need to make a small cross-over cable on the switch from the switched VLAN to the hub VLAN but that's ok The idea is to replace the 4 hubs with some sort of strange VLAN.
This isn't possible on Cisco switches to my knowledge. I recently switched HA daemons on our BSD firewalls for precisely this reason -- using hubs to acheive firewall redundancy is, in my opinion, highly suboptimal.
If you have only two firewalls to worry about then have you considered using a cross-over cable to connect the two firewall arms? For the firewall connections that needs to be connect to the enterprise network, use a hub just like you mentioned in the scenario.
I have seen problems with HA firewalls or more accurately clustered servers. This is were a number of servers appear to outside devices as 1 entity and do this by having a common IP address and MAC address. It is this that causes the problems with the switches.
Have a look at these documents on Stonesoft's site which cover IOS and CatOS switches.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...