Hi,
I would like to get your feedbacks about the following design :
http://niconux.be/files/network.png
I will have to make that setup on a Debian basis with Cisco switches.
We will have to buy the 2 switches at the bottom part, we hesitate between Cisco 2960G-24TC-L and Cisco 3560G 24TS-S...
The top part (above the firewalls) of the diagram is already existing, so I only need to setup things starting at the firewalls.
Short design description :
We take care of redundancy. There will be a master FW elected via VRRP, VRRP will be acting for inside interfaces (74.1.1.3) and outside interfaces (74.1.1.2).
There is also redundancy for routers (via HSRP, using 74.1.1.) and servers, via Ethernet Bonding (faillover mode). Also the trunk between switches is redundant using ether channel.
On the red link between both switches, you will have conntrackd traffic.
We will deploy 5 servers behind those firewalls, each servers using 2 interfaces for the production network, one for the managment network and another one to connect a DRAC card.
Only one of those 5 servers won't have any connection to the production network. So, the overall setup require 25 interfaces for the servers + 6 (2 upstream + 2x2 trunks) interfaces for switches interconnections. This leaves me 17 usable interfaces (2x24 interfaces available on those switches), with 4 used interface per server, I still can connect 4 servers.
Now you got the picture about the current design.
Questions :
1° Do you agree with the switches choice ?
2° Can I do ethernet bonding (server side) while connecting to 2 differents switches ?
3° If there is a problem on the path between a server and the master firewall (for example, port down on the switch), assuming that I set up arp_ip_target and arp_interval options
of the bonding module, will the server start using its other interface to get another path ?
4° If one interface becomes down on the server, it will start using the other one. In that case, I guess that the kernel will send a broadcast gratuitous ARP, will other Linux Kernel in the same
VLAN take that into account ?
5° What do you think about the switch choice, any suggestion ?
6° Generally speaking, is Linux taking Gratuitous ARP into accout ? I'v got 2 cases where the kernel should send Gratuitous ARP : VRRP master change (firewall) and active interface change (ethernet bonding on server). In those cases, will Linux send gratuitous ARP and will other kernel take those packets into account ?
Thank you very much for reading this email and for taking the time to answer it :)
Cheers,
Henry-Nicolas Tourneur.