Designs

The following designs are currently available on this site:

Nokia Hardware and VRRP

• Analysis of VRRPv2 - Issues and Solutions - Larry Pingree presents an analysis and tutorial of VRRPv2 and several configuration scenarios. He also describes the downfalls of VRRPv2 as defined on the Nokia platform, and how VRRP Monitored Circuit fixes these issues. 
• Two Nokia VRRP Configurations for Firewall Failover and HA Jason Mogavero presents two HA designs.  The first allows for simple firewall redundancy using VRRP, while the second provides full HA using dual Internet connections, dual border routers, and multiple VRRP monitored circuits.
• VRRP Worksheet - David Westwood presents a thorough checklist for implementing VRRP enabled firewalls.  Using the spreadsheet included, even an inexperienced firewall administrator should be able to easily setup resiliant firewalls.
  

Sun Hardware and No HA Software (Dynamically Routed HA)

• Internet/Extranet Design Using Check Point (Sun) Firewalls and OSPF failover This simple design provides cost effective HA, by using OSPF to handle failover.  To prevent asyncronous routing conditions, OSPF costs had to be fixed, which means the design does not perform network load balancing.   However, stateful failover can be accomplished, as can load sharing.

Rainfinity Internet and Firewall Load Balancing

• Firewall Failover, Load Balancing, and Scalability with RainWall
• Internet Connection Redundancy with RainConnect RainConnect is a software traffic management solution for multi-homed networks.  RainConnect automatically detects Internet outages, including access router failures and re-routes WAN traffic to an alternate path so that business can continue to operate.  RainConnect also increases download speed by load balancing network connections across multiple ISP links.  RainConnect can be installed in front of any firewall or directly on Check Point NG or Microsoft ISA Server.
  
• Firewall and Internet Connection High Availability and Load Balancing for Check Point NG To achieve maximum reliability and scalability, and to get the most of your Check Point NG Firewalls and ISP connections, you can deploy RainWall and RainConnect in an integrated mode, which allows you to cluster multiple Check Point nodes and connect to multiple ISP links at the same time. This design will achieve High Availability and Load Balancing of ISP links and Firewalls.
  

The following designs are currently available on external sites:

• Configuration for Transparently Redundant Firewalls Vincent C. Jones presents a very detailed design using generic firewalls and Cisco routers doing HSRP.
• Configuring ServerIron Firewall Load Balancing Foundry Networks provides a total high availability and load balancing solution for many cendor's firewalls.  The design does intelligent, stateful, failover and provides network load balancing as well.  An added benefit of this solution is that the same ServerIron switches can be used for server load balancing, geographic server load balancing, and transparent cache switching (depending on setup.)
• The New Firewall Design Question - Jamie R. Bjerke, on behalf of SANS, provides an excellent primer on high availability design considerations.  He outlines differences between Hot-Standby, Load Sharing, and Hardware-Based Load Balancing.  Excellent.

HA White Papers

• Achieving High Availability Strategies for Ensuring Continuous Availability of Internet and Intranet Services - From Rainfinity, but mostly generic.  An excellent paper for anyone thinking of building highly available networks

• Network-Level Redundancy/Resilience for High-Availability Campus LANs A ZDTag Whitepaper that discusses general high availability concepts, including the need for fault tolerance, and proposes Cisco hardware based solutions.  From Cisco Systems.

• Using BGP to Trigger Multiple Levels of Dial Backup on Cisco Routers -
  From Networking Unlimited