Cluster across 2 sites

[srirat]

Hello,

I've some questions to ask about clustering across 2 sites. Can/shoud i put the first firewall component at the first site and put the second firewall at the second site? That means the HA connection will be remotely across 2 sites.

Thanks for all suggestion.

[chillyjim]

Although this is possible, in the real world it tends not to work because of latency on sync network.

For DR you really want to work with your ISP/network vendor on a BGP solution

[northlandboy]

It is possible if your sites are not too far apart (around 30km or so max, IIRC) and you can run fiber between the sites, to bridge the sync connection. I've seen this working pretty well.

But otherwise, Jim's right, sync is your problem. If you can't get a low-latency connection for the sync link, you need to look into dynamic routing-type scenarios. Of course, this works for failover, but can be a hassle if there are any long-running connections - they will be out of state, and dropped by the backup firewall. Your options depend a bit on what sort of applications you're trying to split across sites, and your architecture.

[kaldek]

I agree with the previous posts. I have a customer who is running a 4-node cluster spread across two sites, about 3 kilometres apart. The inter-site link is a dark fibre (i.e. they own the entire line) connected between two Cisco Catalyst 6000 series switches. The link carries a large number of VLANs aside from just the sync network. This customer is also operating in multicast load sharing mode, so the potential bandwidth usage there might seem scary. The cross-site link is 1Gb/s Ethernet handling all those VLANs, but the firewall and its sync networks are all 100Mb/s, which explains why it is working.

We have recently discussed with the customer the long term goal of migrating to a Layer-3 redundancy design (i.e. Layer 4-7 load balancing to distribute user connections to the two different sites) and setting up separate clusters at each site, due in part to the fact that we know their network usage will grow and eventually saturate the cross-site link due to the severe number of multicast packets.

Having two separate clusters also increases your redundancy, because a software fault on one cluster won't affect the other one. As it is right now, if the customer stuffed up their static MAC address tables in their switches, or broke the static ARP entries in their routers, the entire cluster would malfunction. Given all that, this customer is one of the largest organisations in the country, and I have not heard a peep out of them regarding firewall problems since we installed the solution. Their website performance is also exemplary, so sometimes things that seem precarious can end up being quite solid.

P.S. In case you're wondering why we even built a cross-site cluster in the first place, you must understand the customer's history. Their existing cluster was cross-site, based on Checkpoint Firewall-1 4.0 on Solaris with StoneBeat providing the HA functionality. Behind these firewalls, the entirety of their server infrastructure is shared-layer 2 cross-site VLANs. Changing that entire design to a routed environment between the sites was just not economically feasible in the short term.

[northlandboy]

Just one further thing - if you read the ClusterXL guide, it explicitly states that this is possible, provided latency on the sync link is not more than 100ms.

[ppnair@gmail.com]

I was just going through this post to get a clarity on my doubt. But first of all I appreciate all of your great answers for the orginal question. Would you all please clarify this question for me ?

1. Two sites with two different public IP range running BGP with respective ISPs. 192.152.123.X and 198.153.221.X

2. Wish to set up ClusterXL with 100Mbps WAN syncronization.

3. SmartCenter server in 192.152.123.X network.

4. 198.153.221.X network have two FW-1 cluster members and 192.152.123.X have only one cluster member.

5. Both sites have it own internet connections; but in after the firewall we have a dedicated 100mbs inter-office link for LAN-to-LAN.

My question is how the Virtual IP address for this cluster should setup and how should I assign external interface IPs to each members? In this case should it have a common Public IP which is routed using BGP in both sites??

Assuming 100mbs link uses for WAN syncronization. Please help

Praveen

Here attaching the network diagram to make it clear: