[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pfsync + CARP

To: misc@openbsd.org
Subject: Re: Pfsync + CARP
From: "Bill Marquette" <billm@ucsecurity.com>
Date: Fri, 26 Mar 2004 18:01:12 -0600 (CST)
References: <AC7AAB084B315548841D0ED7FF6CFFE8014AB7E9@EXCHANGE.swyt.nhs.uk> <014a01c4135e$3884fe30$88180a0a@MRZTP> <20040326183105.GG10651@countersiege.com> <01c901c41361$9bcc4ef0$88180a0a@MRZTP> <20040326191649.GB32569@is-root.org>
User-Agent: SquirrelMail/1.4.2

FWIW, I've been running a version of ifstated from an early Feb snapshot
on some lab equipment w/out any issues.  I fully agree pfsync + carp rox,
pfsync + carp + ifstated covers nearly every failure scenario in a setup
where both firewalls are plugged into physically different equipment.  For
the record, I have had a NIC fail on an active firewall, however the
kernel panic that occured nanoseconds later effectively meant the machine
wasn't going to be sending VRRP (ahem, or CARP) anyway...IOW, protecting
against NIC failures are a pointless reason to run ifstated.  Protection
against link failure due to cable issues (cuts, pulls, spontaneous
combustion, etc) or switch failures (if your failover machine is on a
DIFFERENT switch) is a good reason for ifstated.

--Bill

References:
- Pfsync + CARP
  - From: "Kevin Barrass" <Kevin.barrass@swyt.nhs.uk>
- Re: Pfsync + CARP
  - From: "matthew zeier" <mrz@velvet.org>
- Re: Pfsync + CARP
  - From: Ryan McBride <mcbride@openbsd.org>
- Re: Pfsync + CARP
  - From: "matthew zeier" <mrz@velvet.org>
- Re: Pfsync + CARP
  - From: Christian Gut <cycloon@is-root.org>

Prev by Date: Re: carp/ifstated + snmp integration?
Next by Date: Re: Turn off reverse video on boot messages
Prev by thread: Re: Pfsync + CARP
Next by thread: http://uptime.netcraft.com/up/graph/?host=www.openbsd.org
Index(es):
- Date
- Thread