Hijexx wrote:
] I'm cooking up a few things in my mind but it gets ugly at
] layer 3. Assume that the firewalls cannot aggregate their
] links. Assume the clustering solution is a multicast software
] load balance solution. Assume OSPF is available.
]
] I'm willing to live with "lose a switch, lose a firewall" and
] just have the firewall be fat enough to cope with the
] bandwidth but as an exercise I'm just trying to think about
] how to handle this.

Well, as a general rule, if one of the firewalls doesn't have enough bandwidth to handle the load, then you don't haven an HA solution, because if a firewall fails it will impact your network performance. You really either need to have three firewalls, or you need to have two firewalls which can each handle the load independently of the other.

The only way to cross connect the firewalls is to have multiple interfaces on each firewall which have the same IP address, in the same way that in your existing configuration you have multiple firewalls with the same IP address. If your clustering solution supports clustering across multiple interfaces on the same device, as well as across multiple devices, then you can do it. If not, then you can't.

Does that answer your question?

Hijexx wrote:
] Question is this: How can you cross connect, for example, the
] external switches so that ExSwitchA touches both FWA & B, and
] ExSwitchB touches both firewalls as well? Reason being if
] ExSwitchA fails, you still want B to throw packets at both
] firewalls.
]
] I'm cooking up a few things in my mind but it gets ugly at
] layer 3. Assume that the firewalls cannot aggregate their
] links. Assume the clustering solution is a multicast software
] load balance solution. Assume OSPF is available.
]

I'm confused by your question. By aggregate links, do you mean it cannot bond ports/channels? If you are connecting up the firewalls to both switches on either side, that's the function you would want.

The following link is to a page from the Guide to IP Layer Network Administration with Linux that details the specifics for that platform. I'm not sure what the procedure would be with other platforms.

2.3. Link Aggregation and High Availability with Bonding

Hijexx wrote:
] Trying to figure out something in a redundant firewall design.
] Two legged firewall design, two of everything. So two
] switches on the internal side of the cluster, two switches on
] the external side as well. Firewalls are running
] active/active. Internal switches are trunked together.
] External switches are trunked together. From top to bottom we
] have:
]
] ExSwitchA ExSwitchB
]
] FirewallA FirewallB
]
] InSwitchA InSwitchB
]
] Question is this: How can you cross connect, for example, the
] external switches so that ExSwitchA touches both FWA & B, and
] ExSwitchB touches both firewalls as well? Reason being if
] ExSwitchA fails, you still want B to throw packets at both
] firewalls.
]
] I'm cooking up a few things in my mind but it gets ugly at
] layer 3. Assume that the firewalls cannot aggregate their
] links. Assume the clustering solution is a multicast software
] load balance solution. Assume OSPF is available.
]
] I'm willing to live with "lose a switch, lose a firewall" and
] just have the firewall be fat enough to cope with the
] bandwidth but as an exercise I'm just trying to think about
] how to handle this.

I would get away from active-active in this situation. As Tom points out, unless each FW is sized to handle full load, then you don't really have HA. You could argue that you're trying to save $$ by using active-active, but I think you overspend on trying to concoct a really complex topology to get this to work. Essentially whatever you might be saving by buying 2 bigger FWs gets eaten up in other hardware and administrative time.

If you went active-passive, then you can align the switches and FWs up to only go live when there's a failure in the other chain. This is simple to do and trivial administratively.

flynn23 wrote:
] I think you overspend
] on trying to concoct a really complex topology to get this to
] work. Essentially whatever you might be saving by buying 2
] bigger FWs gets eaten up in other hardware and administrative
] time.

Let me second that. My experience with full cluster firewalls is that the amount of complexity often makes them prohibitively expensive to build and operate. Its a fun technical challenge for a firewall geek, but in production active/passive is always a more reliable solution unless you MUST have 3+ devices in order to handle the bandwidth you are seeing (which is rare right now as Moore's law is scaling faster then most people's bandwidth requirements; there are some very fast appliances out there).