Dr. I Doctor
Dr. I Doctor's Informational Juggernaut
September 1, 2008
Sharing Internet for Redundancy
Dear Doctor,
A neighboring company with a high-speed Internet connection similar to ours, but from a different provider, has proposed that we pool our resources so that one company's connection can support the other company should it lose Internet access. A Cat-5 cable already interconnects our two data centers. I've found a number of firewalls that support dual-WAN configuration, so we bought a pair and paid for a fiber optic cable between our buildings. Alas, I can't figure out how to interconnect the two firewalls so that they fail over correctly. Each has its own WAN IP address, and connecting the four WAN ports in a common switch (one at each location) results in "IP address spoof" error messages, and failover doesn't work. How can we disable these errors in our firewalls and get them to fail over correctly?
Gentle User,
Don't touch those firewalls! They're only doing their job. Disabling "spoof" messages without addressing the cause of the message is like disabling a beeping smoke detector without looking for actual smoke. The firewalls are telling you that there is a problem, and in this case it's a simple one: You can't securely mix traffic from two different IP subnets on the same Layer-2 Ethernet domain.
The fix is easy: Replace the low-end switches you installed at each location with more modern, full-managed Ethernet switches that have Virtual LAN (VLAN) capabilities. Then create two VLANs, one for each firewall WAN IP subnet, and trunk the VLANs between buildings. You can now plug the two firewall WAN ports (primary and failover) on each site in to the two VLANs. Spoofing errors will cease, and failover will work like a charm.
Posted by mbeckman at September 1, 2008 4:06 PM
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 |
Blog Policy
We welcome your comments and opinions and encourage lively debate on the issues. However, Penton Media reserves the right to delete or move any content that it may determine, in its sole discretion, violates or may violate its Terms of Use or is otherwise unacceptable. For more information, see Penton Media's Terms of Use.