I'm looking for a firewall appliance that supports high availability and spanning tree.
I have two ha-cluster nodes and I'd like to protect them with a firewall. To avoid a single point of failure, I'd like to have two ha-capable firewalls. And since I need redundant switches too the firewall must support the spanning tree protocol.
My preferred setup:
+------------+ +----------+ +--------------+
lan 1 --| firewall 1 |--| switch 1 |--| ha cluster 1 |
+------------+ +----------+ +--------------+
\/ |
/\ |
+------------+ +----------+ +--------------+
lan 2 --| firewall 2 |--| switch 2 |--| ha cluster 2 |
+------------+ +----------+ +--------------+
Cisco ASAs and 65xx-series FWSM's can do this.
You firewall is working at Layer 3 / 4 and thus should not be spanning-tree aware.
If your main node in your HA cluster fails, the other will take over and the switch will do the switching to the node.
If your switch fails, then with a aggregation of link (failover, not lacp), the traffic will be sent to the second switch
If your firewall fails, the other will take over and send traffic to the right switch.
OpenBSD and FreeBSD will handle that without problem. They share a same IP on each LAN segment, the failover is done with TCP/UDP sessions/statefullness. This is transparent to the switch.
pfSense (based on FreeBSD and pf, totally Free) and Vyatta (based on Linux, open core :/ ) can do this on standard hardware and even in virtual machines.