Henry-Nicolas Tourneur wrote:
Currently, That's a very important part for me. I were told that using either VRRP or ethernet bonding, I will get one single virtual mac address. So in both case, server or firewalls won't need to update their arp table because the matching virtual mac -> ip adress will stay valid.
Yes, that's right.
Therefore, the question would be : what is going to happen in order to update automatically the mac tableon switches ?
You'll want to speak some variant of STP on the switches. But that's not rocket science - we have quite a few Red Hat HA-Clusters running their internal LAN over a pair of pretty "stupid" Intellinet switches and it "just works" - can pull a cable without losing more than one ping.
Another question : If I don't use arp options, my ethernet bonding will only be carrier sense,no ? If I want it to test the complete path to the firewalls and switch to the other interface ifthe path faill, I should use those options, correct ?
Yes, the arp_* options do add some minimal level of security, though I have not yet encountered a scenario where they were really needed.
Regards, Michael