I have been reviewing a collection (more than fifty) firewalls throughout a network. All of these firewalls are in failover or HA mode and have an interface between them for failure detection, state and config replication. But it seems that the choices for the HA IP addressing vary tremendously.
When I configure a HA link I always use 220.127.116.11/30. The Primary is 18.104.22.168 and the Secondary is 22.214.171.124.
What I didn’t realise is that many other people do the same thing. About 50% of these firewalls uses 126.96.36.199/30, or maybe 188.8.131.52/24 or something similar. The remainder seem to use private addresses and some are using public address.
So here is the question ? What IP addressing do you use when configuring a HA link between firewall / load balancers / devices ?
Sound off in the comments and take the poll.
Since writing this post, the RIPE has allocated the 184.108.40.206/8 to the APNIC for allocation to public Internet hosts. This means that hosts on the public Internet in the range 1.1.1/24 will not be accessible and therefore you should not use this range any longer. You should use 192.0.2.0/24 in the current IP address plan.
I attempted to copy some text from the CPQRG today only to find it is copy protected. Why ? Is it a secret ? Don’t we want to sell things anymore ? [Read more…]
Ubersource points out the D-Link router/modem firmware forces you to go their website and receive spamvertising about security software. You have to login to the router, go Advanced and OPT OUT to stop this.
This is very poor practice. Opt-out is NEVER ACCEPTABLE, and using a piece of hardware that is fully paid for to perform the spam attack is disgusting.
No more D-Link for me. I trust Cisco has no plans for Linksys to do the same – this is a revolting form of upselling.