Currently the network I maintain has two firewalls for HA failover, but only 1 hand-off from our fiber ISP. We are able to use the HA pair because we have one Brocade (for Internet 2) in front of the pair which splits the SFP+ hand-off. So if one firewall dies, the other can takeover with no intervention, simply using its own WAN SPF+ connection from the Brocade. This leaves us with the Brocade being a single point of failure. Even if the brocade could fail-open, that wouldn't solve the issue as the firewall WAN ports are configured to use the Brocade IP and not the ISP hand-off directly.
My question is: if we were to remove the Brocade completely from the setup and we STILL had a single hand-off from the ISP, what could we put in-between the single hand-off and the HA paired firewalls that wouldn't introduce a single point of failure? Is there some type of dumb switches which we could mirror and/or fail open in such a way that the live switch could still use the ISP hand-off plugged into the dead switch? Is there any solution which wouldn't require intervention (like having to go and move the single hand-off from one box to another in the event of a failure)?
I'm not sure if our ISP would be able to give us two hand-offs which were mirrored (whether it's possible, or without incurring a large monthly cost). Of course two hand-offs would eliminate the need for anything in-between the ISP and HA paired firewalls.
No comments:
Post a Comment