State Sync does not supports VLAN ?

[pop_alex]

Hi there,

I read about State Synchronization in ClusterXL document saying that

"There are two restrictions to the synchronization network:
First, VLANs cannot be used in the synchronization network in any version. Second, in older versions, the interface used for the synchronization network must be a real interface with a real IP address (as opposed to a cluster IP or a virtual IP)." page 15.

I have two Cisco Catalyst 6500 series which is connected each other fibre (trunk together) and our firewall are connected to it on both side through dedicated VLAN two on location A and one in location B).

My question is does it really works? Anybody had done a state sync across two routing switches before? If yes, can someone kindly give me a guide about this?

Thanks very much.

Regards,

Al.

[Izzio]

I know that the sync nic cannot be "tagged" with more VLANs, else state table sync will not work.

But it should be not a problem to connect over "untagged" switch ports belonging to a particular VLAN the sync nics.
Usually I use a crosscable.

Ciao
Maurizio

[pop_alex]

Hi,

Previously I used cross-cable between two firewall for state sync, but now I have three firewall which is two at (let say location A) and one at location B. Firewalls at location A and B are connected to both Cisco Cat6500 series routing switch on each side. These firewalls are connected to dedicated (same) VLAN assigned. So, what should I do to make sure the state sync works across the network ?

Thanks very much.

Regards,

Al

[Izzio]

Hi Al,

I think that you can connect your 3 nodes over a dedicated VLAN, you have to take care that the switch ports must be "untagged" (no trunk) and by the FWs on the sync nic no VLAN is set.

The FW will just see a switch port and not the L2 VLAN information.

Ciao
Maurizio

[FERappel]

sk25977: "A separate VLAN, and/or switch is recommended for each cluster."

ClusterXL.pdf: "(and that are within a VLAN, if it is a VLAN switch)".

So, the answer is yes.

As stated into another thread, yes, we have done w/ 2 pairs of 6500, 1 pair w/ (CAT OS + IOS + 2 SUP1A + 2 MFC2) and another w/ (native IOS + SUP1A + SUP2 + 2 MFC2), both w/ 2 pairs of trunk, w/ different priorities, each using the 2 gigaethernet interfaces of each SUP. W/ native IOS, you should follow the "Example Configuration of Cisco Catalyst 6xxx" (idem & idem).

"I have two Cisco Catalyst 6500...": "trunk together" or "routing"?

It must be "trunk together", i. e., L 2 - layer 2, not "routing", "since" "The Cluster Control Protocol (CCP) makes use of Layer 2 multicast," (ibidem), though "CCP runs on UDP port 8116," (ibidem).

[chillyjim]

This has been said but not clearly in my book.

Short answer the firewall interfaces need to be real/not-vlan interfaces. The switch side of the connection can cross switches via a trunk port.

Longer answer -- Make sure the trunk has enough bandwidth to handle the sync traffic (I've seen over 800 Mbps on a sync connection). You also have to worry about latency. If it's all "local" fiber you should be OK, but leased fiber from a carrier is as likely as not, not to work.

[pop_alex]

Quote:

Originally Posted by FERappel

W/ native IOS, you should follow the "Example Configuration of Cisco Catalyst 6xxx" (idem & idem).

Both 6500 series routing switches are using CatOS instead of native IOS.

Quote:

Originally Posted by Chillyjim

Short answer the firewall interfaces need to be real/not-vlan interfaces. The switch side of the connection can cross switches via a trunk port.

Our SUN 1GB Quadcard does not have any VLANs configured.

Quote:

Originally Posted by Chillyjim

Longer answer -- Make sure the trunk has enough bandwidth to handle the sync traffic (I've seen over 800 Mbps on a sync connection). You also have to worry about latency. If it's all "local" fiber you should be OK, but leased fiber from a carrier is as likely as not, not to work.

Yeap.. we using "local" fiber which connects both 6500 series at different locations.

By the way, I had performed sync between these enforcement by rebooting all of it in one go. I noticed during bootup, it able to sync with other enforcements but when I checked with cphoprob state command. Every enforcements seeing each other as down state. I have no idea about this already. I'm almost managed to get these works. Kindly advice.

Thanks.

Al

[chillyjim]

Quote:

Originally Posted by pop_alex

...
By the way, I had performed sync between these enforcement by rebooting all of it in one go. I noticed during bootup, it able to sync with other enforcements but when I checked with cphoprob state command. Every enforcements seeing each other as down state. I have no idea about this already. I'm almost managed to get these works. Kindly advice.

Thanks.

Al

Lets start with what version of Check Point are you running?
What HFA if any are installed?
What version of Solaris?

[pop_alex]

Quote:

Originally Posted by chillyjim

Lets start with what version of Check Point are you running?
What HFA if any are installed?
What version of Solaris?

I'm using Check Point NG AI (R55) HFA 17, Hotfix 670 - build 004 and for SmartCenter server is running on Windows XP, Version 5.1, OS Build 2600.

Meanwhile, my three enforcement servers are running on NG AI (R55) HFA 17, Hotfix 670 - Build 004 (Build 541670004) with Solaris 5.9 (Solaris 9) with latest patches. All of it using SUN 1GB Quadcard.

I'm using 3rd party load-balance/High Availability - RainFinity RainWall 3.1 SP5 R1.

Attached is the diagram of my firewall set up. Noted that the diagram showed only the 'heartbeat' part of firewall clusters. The rest of the interface of 1GB quadcard of each enforcement servers are connected to a different (separate) VLANs but going through the same Cisco 6509 switches. These switches are using CatOS software. I noticed that this particular command " set cam static [multicast mac address] module/port" is not available in our switch. What I did is to set the VLANs with no configuration set on it except the no igmp snooping command.

Please advice. Thanks very very much.

Regards,

Al