Checkpoint CLusterXL or Nokia VRRP ?

[pat13b]

Is there a single document that covers the pros and cons of the different methods of failover.

All the reading I have been doing is getting confusing.

If I have a pair of Nokias and Check Point NGX, which failover is better?

Seems like the clusterXL is the better approach ?? or easier approach.

or do I still need to do VRRP on the Nokias as well ??

Any advice would be greatly appreciated.

thanks
-pat13b

[gavvys]

Hi
Well you have a good combination of Nokia and Checkpoint.Now it depends on the requirement you can use Nokia VRRP or Nokia Clustering or Checkpoint ClusterXL.
The difference is that if you use ClusterXL you need to have the licence.
If you use Nokia VRRP you can have HA but the other box will act as HOT STANDBY ie active-passive.
If you use Nokia cluster then you can configure the boxes in Active-Active or Active-Passive mode.

I hope this will make you clear your doubts.
If you need any help please let me know.

Regards
Ranjit

[pat13b]

Thanks for the reply. This helps clear things up a bit.

-pat13b

[mcnallym]

With Nokia's then you should not tick ClusterXL. You should configure under 3rd Party and select Nokia VRRP is want an active-passive pairing or IPSO Clustering if running IPSO Cluster and an active-active environment.

ClusterXL is for SPLAT/Linux/UNIX only. Oh and Windows if you really, really have too.

As such it is really a case of which environment you have, as to which you select.

On the Nokia's you are only using ClusterXL for the Check Point synchronization not the actual failover information.

[pat13b]

Hello,

And thanks for the great replies. I'm still a little confused...

So if I have a Windows box trying to do ClusterXL to a pair of Nokia's, will this work ??

Do I have to do VRRP or IP Clustering on the Nokia's in addtion to ClusterXL ?

thanks
-pat13b

[manrag]

With the Nokias you dont have to use ClusterXL just VRRP or IpClustering.

[willr]

Also, keep in mind that with Nokia Active/active clustering, you will need two state networks. One for Checkpoint state and one for Nokia state. They do not recommend using the same network for both.
Do not use a crossover cable between the two firewall for state networks. If one firewall goes down the other will see that interface go down and they both try to leave the cluster.

If you have a Cisco switch between the firewalls using Vlans, make sure multicast is turned on (been there, done that). You can switch the Checkpoint state network to broadcast but not the Nokia state network (I think I just read that 4.? allows you to switch to broadcast on the Nokia state network.

While on the Cisco subject, we discovered that some Cisco switches would not listen to a gratuitous ARP from a VIP address. After 4 hours, our network kept going down. A simple static ARP entry in the switch fixed the problem, but it took many 4-hour periods to figure it out.

EDIT: To make this clearer, we added the MAC address for the firewall VIP into the static ARP table of the switch.

You setup the Nokia state network in Cluster voyager. You setup the checkpoint state network in smart dashboard.

[pat13b]

Thanks very much. I'm going to try this out in the lab tomorrrow.

-pat13b

[Sidney]

Quote:

Originally Posted by willr

Also, keep in mind that with Nokia Active/active clustering, you will need two state networks. One for Checkpoint state and one for Nokia state. They do not recommend using the same network for both.
Do not use a crossover cable between the two firewall for state networks. If one firewall goes down the other will see that interface go down and they both try to leave the cluster.

If you have a Cisco switch between the firewalls using Vlans, make sure multicast is turned on (been there, done that). You can switch the Checkpoint state network to broadcast but not the Nokia state network (I think I just read that 4.? allows you to switch to broadcast on the Nokia state network.

While on the Cisco subject, we discovered that some Cisco switches would not listen to a gratuitous ARP from a VIP address. After 4 hours, our network kept going down. A simple static ARP entry in the switch fixed the problem, but it took many 4-hour periods to figure it out.

EDIT: To make this clearer, we added the MAC address for the firewall VIP into the static ARP table of the switch.

You setup the Nokia state network in Cluster voyager. You setup the checkpoint state network in smart dashboard.

Here is the explanation of this problem with multiple solution:

http://www.cisco.com/en/US/partner/p...8059a9df.shtml

[pat13b]

Sidney

Any chance you can post this document. I can't get to it with my CCO credentials.

thanks

-pat13b

[willr]

Quote:

Originally Posted by Sidney

Here is the explanation of this problem with multiple solution:

http://www.cisco.com/en/US/partner/p...8059a9df.shtml

I had the cisco team pull down this doc for me since I don't have a cisco account. This was about the multicast over Vlans. I was really hoping it was about the failure to listen to ARP from a VIP.

Thanks for the link

[pat13b]

Hello,

I did these suggestions (thanks for all your advice) and I had some great success with the VRRP.

Now, I have another question. Nokia VRRP or Nokia Clustering ??
I played with that today and could not get Nokia Clustering to work with any of the multicast settings but it did work with setting it to "forwarding mode"

(As a side note the VRRP worked fine with my multicast settings.)

Seems to me the simplest method is Nokia Clustering in Forwarding mode.

any thoughts or advice on the better one ?

-pat13b