I have been reviewing a collection (more than fifty) firewalls throughout a network. All of these firewalls are in failover or HA mode and have an interface between them for failure detection, state and config replication. But it seems that the choices for the HA IP addressing vary tremendously.
When I configure a HA link I always use 1.1.1.0/30. The Primary is 1.1.1.1 and the Secondary is 1.1.1.2.
What I didn’t realise is that many other people do the same thing. About 50% of these firewalls uses 1.1.1.0/30, or maybe 1.0.0.0/24 or something similar. The remainder seem to use private addresses and some are using public address.
So here is the question ? What IP addressing do you use when configuring a HA link between firewall / load balancers / devices ?
Sound off in the comments and take the poll.
[polldaddy poll=1078479]
Update 2010-02-06
Since writing this post, the RIPE has allocated the 1.0.0.0/8 to the APNIC for allocation to public Internet hosts. This means that hosts on the public Internet in the range 1.1.1/24 will not be accessible and therefore you should not use this range any longer. You should use 192.0.2.0/24 in the current IP address plan.
Loading ...
About Greg Ferro
I’m a big fan of using /30′s out of the 169.254.0.0/16 link local allocation.
It’s the “zeroconf” range and should never be routed or permitted through firewalls, I normally route to null0 or have a generic denial/drop within input firewall rules. And it will never conflict with normal RFC1918 private addressing that might also be in use.
ie. on ASA/PIX with stateful failover,
failover interface ip failover 169.254.255.249 255.255.255.252 standby 172.31.255.250
failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 172.31.255.254
And on occasion when I cut’n'paste from the template I already open I’m retarded and forget to change everything :-/
failover interface ip failover 169.254.255.249 255.255.255.252 standby 169.254.255.250
failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 169.254.255.254
this is a great suggestion – the only downside might be that you could theoretically use this range on the inside interface – but then 1.1.1.1 might become legal one day as well. I like it.
reserved range 192.0.2.x/24
Thats a very good suggestion. Deserves another post I think.
I tried to AVOID the use of 1.1.1.0/30 as 1.1.1.1/32 is used on the WLC’s and it generally serves to confuse those who are not so clued up
I take it that WLC is a Wireless LAN Controller ? And they use 1.1.1.1 as some type of special address ?
Also, note that the firewall HA links are only locally significant. The actual IP address used is not relevant to your network.