Here's a question for some of you network admins out there. I have a line coming in from the datacenters layer-3 switch. If I get a set of redundant firewalls, and have them install another line (one line to each firewall), will they be able to route to which ever firewall is live?

Would we be able to continue using static routes, or will have to starting using a routing protocol now?

Trader

It all depends on the gear you and your ISP are using. :-)

Assuming Cisco gear (which is what we use at Deru), you can use HSRP (Hot Standby Router Protocol) to offer redundancy between the links.

You'll want to be careful about just static routing routes to the
firewalls - if the routes have equal values on the ISP side, they
could end up load balancing traffic at the IP level to your firewalls, which will break much of the state they maintain on open tcp/ip
connections.

It's best to set one up as primary and the other as backup and just break current tcp/ip connections in use when the primary fails.

This might make it a little clearer...

http://networking.earthweb.com/nethub/article.php/1438251

They have a cisco layer-3 switch we plug into. We have 2 linux firewalls witha serial link that monitor one anouther using heartbeat. So if the primary fails, then backup initiates.

HSRP is a cisco proprietary protocol isn’t it? Probably wont work as we dont have a cisco firewall. I only wish we did.

Trader

PS. As far as I know, the backup firewall just sits there dormant. So wouldn’t the datacenters switch just update and start send to a different port if the first firewall went offline and the second one came on?