IPSO Clustering and HA/LS

scottyb-cpug · #1 (**permalink**) 2006-06-15

I have 2 x IP350 and 2 x IP380 that I want to set up in one of the MANY different versions of clustering (VRRP/VRRPmc, IPSO Clustering, ClusterXL...).

I believe VRRP is passe?, VRRPmc is reasonable but with IPSO 3.8 and CP FW NG (R55), the IPSO Clustering (via Voyager) is my best bet?

Does anyone have a working 2 node IPSO cluster in Load Sharing (or even HA mode). The added complication is we doe Hide NAT as well.

tia,

Scott.

ps. I have the Syngress CPNG...Advance Config and TS book and just bought Essential Check Point Firewall-1 NG (by Daemon W-A/Phoneboy) but I remain nervous about the deployment even after reading through both.

plemaster · #2 (**permalink**) 2006-08-01

we are running Nokia IP530 and loadsharing / IPSO clustering with R55p on nodes and R60 on Smartconsole.

northlandboy · #3 (**permalink**) 2006-08-01

I think before you deploy anything, you should have a better understanding of what your options are, and what the pros/cons of each of them are.

Since you have Nokia boxes, your options are only VRRP or IP Clustering. Nothing else.

VRRP is HA only. Don't worry about the VRRPv2, MC thing. Just click simplified mode VRRP. It's all monitored circuits now. Very simple, works very well. No special config required anywhere. Failover time is ~3s.

IP Clustering is load sharing only. This means you can (in theory) process more traffic than just one node. If you've got two nodes, you're looking at a 10% improvement in connection setup rate, and a 30% improvement in throughput. VPN throughput goes up by more. Clustering can be problematic though, particularly with multicast mode. Some devices (Cisco I'm looking at you) don't like the multicast MAC address, and require manual configuration. You can use forwarding mode instead, but that's not so elegant. Remember also that your cluster has to be able to handle the traffic with a node down. The main advantage you get with clustering, if you're not pushing large amounts of VPN traffic, or in a 3/4 node cluster, is that you get 0.5s failover.

So is that worth it to you? Are you at the limits of what the 350/380 can do? Do you even know what those limits are? Or are you just looking to deploy clustering because it's "cool", and VRRP is "passe". Ask yourself what you are trying to achieve. Do you need load sharing, or HA? Do you need fast failover? What is it worth to you?

Hide NAT will work fine with both.

You should probably have a read of the IPSO Clustering Config guide, from Nokia.

kekec · #4 (**permalink**) 2006-08-03

We are running two clusters with IP350 in load sharing MCAST mode without any limits (R55p).

Kekec

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode