PDA

View Full Version : Checkpoint 61000 HA



Spawn
2014-07-29, 06:33
Hi guys,

Is there any other good resource for 61K HA deployments with multiple SSM's and SGM's?
Basically looking out for 61K architecture and actual working scenarios on how these can be best used in enterprise data centers.
even on the partner portal its mostly sales related stuff and with support site information is so very scattered.
Been collecting myself some of the best practices referring admin guides and getting started guides.

Thanks in advance
Regards,
Spawn!!!

abusharif
2014-07-29, 07:45
Don't think so to be honest. Your best bet for some "yummie" stuff is if you can get your hands on 61k training material via your Check Point contact or actually attend the 61k training in Tel Aviv (yeah I know, not the best time, but afaik its the only place that does this training unless something changed in last few months).
Anything specific you want to know? I can try to answer at least..

Spawn
2014-07-29, 10:43
yes man thanks, i thought so too but bosses put up the same lame excuse " man u have so many checkpoint deployment experiences behind you - you can do it we believe in you" and then they made me the program lead.

Well, working through the admin guide, got some 61K concept related material, getting to know SMO is the tech behind managing this beast.
SMO master updates to all SGMS.
SSM does all the loadbalancing of traffic amongst SGM.
SGM actually works on the network traffic.
CMM monitors the status of hardware.

just not able to find info on :

1. what the LAN 1 and LAN2 ports is used for in SGMs?
2. Fabric switch(includes data ports) and Base Switch (they say it includes management ports) on SSM, what do they mean by include and why do they call it a switch instead of a port, is there an internal switch and the cable connected to this port will be an uplink.

can we change the default ip schema 198.51.100.X since they may be used in some network setup?

i understand load-balancing commands are run on the fabric switch only - again a copy paste from admin but no detailed info there.
Am assuming all these interfaces go to a switch and talk to each other for basically connecting to SSM, as much mostly all control decisions are over network instead of a a back-plane connected kind of architecture.

basically stuck with some bits and pieces of info and working towards getting some idea on it before deploying these in HA(A/P).

Spawn
2014-07-29, 10:49
oh also is R77.20 available for 61K...not sure about it, i ain't seeing an image in support search.

abusharif
2014-07-29, 11:28
Latest version for 61k is R76SP. There are several version of this one (different takes). Latest I got few months ago is Take 139, but IIRC newer GA1 or GA2 will be out soon. Possibly already out internally.

Front network ports on SGM are not used. Only ports used are the 2x10GB and 2x1GB (not sure about the latest SGM's, could be even faster on those) internally to the back plane.
It is possible to change CIN (chassis internal network). Also the SYNC network (/24) can be changed if needed.

Not sure about Management/Data plane if its separated or not. Can't remember tbh. Basically you can see a SSM as a switch.

Not sure if this helped or not :p

Are you going for VSX or gateway mode?

Spawn
2014-07-29, 12:02
yes at the moment that and anything more will help:)

mostly will be looking at gateway mode, i don't know if there is a case available with us to go wid VSX.

the 61K(IPS/FW) HA will talk to a DMZ 7018 Nexus HA over VPC, looking at 2x10 (20G) Gig VPC towards both core switches and then we have ASA top model in intranet again talking to 2 additional intranet nexus 7018 over VPC - between nexus a gigantic 100G uplinks, internet 20G and intranet wan 10gig, same in DR.

SSMS are 160 - 2 SSM per chassis
SGMS are 220/T the ones that only work with 61K - 4 per chassis

abusharif
2014-07-29, 14:13
Yeah that should work fine with Nexus 7k (was involved in project with those components/setup).
One thing that comes to mind is to raise a *flag* regarding Sync interfaces on 61K. Connect the sync interfaces between chassis directly without going through the switch. Sync interfaces in 61K are highly important and you don't want/need an extra "hop" that could cause the issues with it. There was a bug (although related to VS) where sync traffic over switch where HSRP traffic is seen would cause it to crash.

Another one worth exploring and thinking about before going in production is distribution mode you will be using depending on your traffic patterns. General will work in most cases, but depending on how your traffic looks it might need some "massaging". You will however notice such issues by uneven load between the SGM's.

Also only use CP provided SFP's in 61K. Others types are ofc not supported, but besides that some of them will work, but you will have loads of issues of intermittent link losses and other weirdness.

I am not sure if this is by default but, where I've been involved there was certain amount of Professional Services days included when you buy 61K, so they can help with design questions, recommendations and on/off-site assistance when deploying. But as I said, I am not sure if this is something included in all 61k purchases.

Anyway, good luck and shoot questions if needed.