How and when to use ARP-Loadsharing and Floating IP - Upstream/Uplinks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How and when to use ARP-Loadsharing and Floating IP - Upstream/Uplinks

L4 Transporter

How and when to use ARP-Loadsharing and Floating IP - Upstream/Uplinks

Hello Live comunity, how are you all doing.

In the use cases you can see that the use of ARP Load-sharing or IP Floating, ARP is used thinking in the access to the Gateway vs IP Floating that is something more like fail-over more like an active/passive so to speak, than ARP Load-sharing that distributes vs Ip floating that acts as fail over.

 

-Why wouldn't you use ARP Loadsharing or when would you use it thinking purely in Upstream/Uplinks?

-I was thinking in cases where the external/IP or Uplinks/Upstream interface of the HA Firewall, is a route of some router or superior device, that points to the HA IP, ARP-Load sharing, could in this case point to an ARP Loadsharing IP as well or not ?

-Now thinking about if it is a totally edge firewall, perimeter, where it has DNAT, and so on, maybe there we have limitations of using ARP loadsharing vs IP Flaoting.

 

If someone has already worked too much with HA Active/Active firewall or has mastered very well the theory and concepts regarding the use in Uplinks/Upstream, where to use ARP-Loadsharing / IP Floating. Or anyone who wants to add their comments.

 

Thank you very much for your time, your collaboration and your comments.

Best regards

High Sticker
1 REPLY 1

Cyber Elite
Cyber Elite

- arp loadsharing is 'sticky' in a sense that it uses an algorithm to determine which 'source' is handled by each firewall. if you have an internal (NAT)router or proxy for example, that could easily skew how the 'sharing' part actually works.

for load sharing i'd sooner rely on ECMP if that's an option instead of distributing among chassis

- i guess that could also work

- if your perimeter is L2 connected so both firewalls can use the same public IP, load sharing could work, but what do you see as the added value of doing this? stretching the firewall's capacity (1+1=2) is dangerous in case of failure

 

I usually resort to floating IP so i can easily predict which firewall is used for what and only when there is a failover the traffic will shift. 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1091 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!