-----BEGIN PGP SIGNED MESSAGE-----

i take it you're bridging more than just IP, because if you are only doing
IP, you should not have to see any mac addresses.  the switches should
take care of sending out ARP requests.  something sounds setup wrong, you
should not need to see MAC address traffic for a system like that to work.

Thank You,
        Ben Kochie (ben at nerp.net)

 "Unix is user friendly, Its just picky about its friends."

On Mon, 4 Jun 2001, Jason Jorgensen wrote:

> They are going to replace a single MASQing firewall. All traffic was going
> through one firewall anyways. Now it will be 2 linux bridges with masq rules
> that will failover. We arent using those for public space.
>
> If the bridges cant see the mac addresses of the boxes on both sides of the
> bridge then they wont route any data across.
>
> Your absolutely right. It might be better to have a sleeping firewall that
> could be awakened with some linux heartbeat software. We are investigating
> our options at the present and this was one solutions presented. We were
> thinking spanning tree switches with spanning tree bridging firewalls. Right
> now we are just compiling a pro's and con's list for the different options.
> One of the con's is having to purchase different switches. But I need to know
> what kinda of switches to get for this configuration and there price.
>
>
>
>
> Ben Kochie wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > why in the world would you need both linux servers to have access to all
> > traffic on the network, that's a really _bad_ idea when it comes to
> > bandwidth, AND security.  the whole point of having a switch is so that
> > traffic between hosts doesn't affect traffic between other servers and
> > hosts.  if you need to do failover, the 2 linux servers should have an
> > active connection between them, which doesn't require that they monitor
> > traffic.
> >
> > Thank You,
> >         Ben Kochie (ben at nerp.net)
> >
> >  "Unix is user friendly, Its just picky about its friends."
> >
> > On Mon, 4 Jun 2001, Jason Jorgensen wrote:
> >
> > > We are trying to setup a couple of linux boxes to act as a bridge so
> > > that we have some redundancy if one box fails. To do this the linux
> > > boxes need to "see" each other and all traffic on the network. However
> > > we are using switches for security and the switches only have
> > > capabilities for one monitoring port (a port that sees all traffic, just
> > > like a hub would do). We would need 2 monitoring ports on each of our 2
> > > switches to allow the bridges to work properly. So I would like some
> > > suggestions on switches that would have more than one monitoring port.
> > > Right now we are using HP ProCurve 2424's.
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.3ia
> > Charset: noconv
> >
> > iQCVAwUBOxufuctpDhsSpvgtAQGRwAQAjsqvjJcMHoYsH4ElrXqPG5E9OCML8qsK
> > fonuM1taK5tQ7vzTbWyDE8FY1ePv3NmIWzUEn3TXlsjWNnhlbpEGa1/kqOKFLE0A
> > XPwZw17mgkLNN3xXauIvUzHriXyPO04okIfS9DlUZM2c39T+V8vOsNSdS8TQCfCW
> > Ia14Xe//qh4=
> > =a+7V
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOxvJ2ctpDhsSpvgtAQF1vgP7BCmDVITRWUQD2fy3J22SNJtXYQzgG1EF
PgQHkBM8EPhLacKhYYwKIjhi0iZ32Vx/kL3Ryc5bxmyixIRsYPEK//ikt/NuC0yg
JiMvk2BPfAQi6yNI7CJetpoCrsTOvnuzqm68fcDzhyyFtcIpzj2RIqR+Cgrp8dq9
qtQ1QGRZ7RE=
=7aEW
-----END PGP SIGNATURE-----