CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 6 of 6

Thread: VSX Clustering question

  1. #1
    Join Date
    2010-06-17
    Posts
    4
    Rep Power
    0

    Default VSX Clustering question

    Hi all,

    VSX has the ability to Cluster at the Container level or the VM (firewall instance) level.

    VSX Gateway High Availability - if any VM, Virtual Switch, etc... goes down, the entire member fails over to the second VSX.

    or VM High Availability. - whereby only that VM is flipped over to its corresponding cluster member on the other container and everyone else is as is.

    I am just curious about how other folks have deployed their VSX Clusters, and what the reasons were that pushed you folks in one config direction vs. the other.

    Thanks

    Sp
    Last edited by splat; 2010-06-23 at 12:12. Reason: Reconsidering issue after further doc reading.

  2. #2
    Join Date
    2007-08-04
    Posts
    181
    Rep Power
    16

    Default Re: VSX Clustering question

    Hi Splat
    I manage and build 5 vsx cluster(4 R65 and 1 scalabilty pack) their al in HA mode.
    When you do loadsharing or single system fail over you can not use virtual routers. Virtual routers are mandatory for our network design.
    We do not track every vlan for a fail over we use the default setting. So only when the lowest or highest vlan on a interface goes down the clusters goes in a fail over. Of course there are many other tracking instance the we use, but they are all in there default configuration.

    Eduard

  3. #3
    Join Date
    2007-07-12
    Posts
    143
    Rep Power
    16

    Default Re: VSX Clustering question

    Virtual System Load Sharing, I deliberately avoided the need for Virtual Routers in our design so we could move individual virtual firewalls between cluster nodes as needed (ie. for technical or political reasons).

    m.

  4. #4
    Join Date
    2010-06-17
    Posts
    4
    Rep Power
    0

    Default Re: VSX Clustering question

    Hi Marklar,

    Thanks. You mentioned:

    " Virtual System Load Sharing, I deliberately avoided the need for Virtual Routers in our design so we could move individual virtual firewalls between cluster nodes as needed"

    So, you are saying in a Full-System HA, whereby all constituents, (any failing virtual device, then everybody jumps ship and is failed over to the 2nd container - you need virtual routers in that kind of design?

    I'm curious to know how your firewalls themselves were configured. Bridged mode or like standard FW with subnets?

    Thanks much for all replies.

    Sp

  5. #5
    Join Date
    2007-03-07
    Location
    Detroit, Michigan
    Posts
    154
    Rep Power
    16

    Default Re: VSX Clustering question

    I do the same as eduard, as I am using VR's and my internal interfaces are using 802.1q for customers, and since we control the vlans, if one vlan goes down it would be a configuration issue or a failure further out toward the access layer and it would only effect that one vlan tag not the whole cluster of VS's.

    As for the external interfaces they are layer 3, and behave as a normal HA configuration would. After fours years of running this way, we have not had an issue that caused a re-design of the configuration. Also if you do any dymanic routing you cannot make use of any of the load sharing features.


    Quote Originally Posted by eduardw View Post
    Hi Splat
    I manage and build 5 vsx cluster(4 R65 and 1 scalabilty pack) their al in HA mode.
    When you do loadsharing or single system fail over you can not use virtual routers. Virtual routers are mandatory for our network design.
    We do not track every vlan for a fail over we use the default setting. So only when the lowest or highest vlan on a interface goes down the clusters goes in a fail over. Of course there are many other tracking instance the we use, but they are all in there default configuration.

    Eduard

  6. #6
    Join Date
    2007-07-12
    Posts
    143
    Rep Power
    16

    Default Re: VSX Clustering question

    Quote Originally Posted by splat View Post
    You mentioned:

    " Virtual System Load Sharing, I deliberately avoided the need for Virtual Routers in our design so we could move individual virtual firewalls between cluster nodes as needed"

    So, you are saying in a Full-System HA, whereby all constituents, (any failing virtual device, then everybody jumps ship and is failed over to the 2nd container
    That is one way VSLS can be made to work, I suggest talking to your systems integrator or Check Point pre-sales for the full spiel on what VSLS can do and what limitations there are.

    - you need virtual routers in that kind of design?
    Virtual Systems and Virtual Switches only, routing in and out of the environment is handled by real routers. Plan your layer 2 very carefully, that is the key.

    I'm curious to know how your firewalls themselves were configured. Bridged mode or like standard FW with subnets?
    Standard with lots of VLANs and subnets and static routes.

    m.

Similar Threads

  1. clustering with nokia clustering-services - failure after power fail
    By bytes in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2010-01-27, 03:09
  2. IP Clustering
    By sameoj in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2008-11-28, 08:51
  3. new to clustering need help
    By sebastan_bach in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2008-05-08, 10:25
  4. Clustering & SIC
    By birmingham in forum Miscellaneous
    Replies: 1
    Last Post: 2007-02-28, 10:06
  5. IPSO clustering VPN question
    By philuxe in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2006-08-30, 01:44

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •