 | ||
 DMZ Design | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-10-20 | |||
| |||
 DMZ Design I have recently inherited a DMZ which needs some redundancy. I am new to checkpoint and would like some input if you are willing. From the image attached I would like to stack 3750’s and split all connections over the stack for dual connectivity e.g. Web servers, ftp etc. (If you have any design improvements please advise) pending cost and time. -One question I have is how would the Crossbeams handle having two active NIC’s. -How would the ARP tables go for forwarding traffic in the event of a fail over? I am hoping to change the ARP time out? - While typing this I thought what if the 3750's were stacked and standalone instead? That is all I have for now but I hope the thread will be alive for some time. jim_8912 Last edited by jim_8912; 2008-10-23 at 22:44.  |
| 2008-10-22 | |||
| |||
| Re: DMZ Design Stack the 3750's. Then get nics that support bonding, that way you can have a single IP represented on two nics, plus additional bandwidth for the host. HTH __________________ Its all in the documentation. |
| 2008-10-22 | |||
| |||
| Re: DMZ Design Thanks for the post. How will the Crossbeam cluster (active/passive) cope with the new MAC add on the second switch of the stack? My attempt to make the failover seamless is one of my biggest concern. I can play with ARP timeouts? |
| 2008-10-23 | |||
| |||
| Re: DMZ Design Hi Jim Running VRRP should take care of your concern: Use a virtual IP address as gateway (which has it's own virtual MAC address, which is active on both firewalls). So when one gateway fails, the second one just takes over. As for ARP: The virtual IP will be associated with a virtual MAC address, but when sending traffic, the firewalls will use their burned-in MAC address, thus the virtual MAC will never appear in the switches MAC address table and traffic is flooded on all ports in the according VLAN. If your VLAN is rather big, and you are concerned about the large amount of so-called unicast flooding, you might want to limit this to the ports connecting to the firewalls: Add "switchport block unicast" on ports _not_ connecting to the firewalls and other clustered devices. If you use state sync on the Check Point side, traffic flows are usually not affected from a failover; the short interrupt (around 1 sec) will be handled by the protocol. Best is (as always) to test this in a maintenance window... alter the VRRP prio of one box and see if connectivity still works. Would recommend to test failover with all the redundant components in your DMZ, just in case ;) Last edited by Dominik Zanolari; 2008-10-23 at 02:34. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
