Yes, that's all, and your FW still load sharing in all interfaces and provides you High Availability. You can see more details in checkpoint help (see help in ClusterXL Modes in your managment station). This help explains all modes of ClusterXL.
Another think that know is the priority cluster members (you will see in Cluster Members config options), Unicast mode needs a pivot and this is asignated ussing the highest priority member available. I Hoppe this help you Regards Romey Valadez -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] nombre de nl Enviado el: Martes, 07 de Junio de 2005 12:13 a.m. Para: [email protected] Asunto: Re: [FW-1] Cluster XL vs Cisco static arp Thanks for reply, I see Multicast or Unicast in Cluster XL LOAD SHARING config options. Do you thing that all I have to do is delete static arp entry in router, check Unicast in Cluster XL LOAD SHARING config options and install policy ? Is that something else what I have to do? And will it be still Load sharing including FW outside interface? thanx >Od: Cecoban, S. A. de C. V. - Romey Valadez [mailto:[EMAIL PROTECTED] >Odoslané: 6. júna 2005 21:21 >Komu: [email protected] >Predmet: Re: [FW-1] Cluster XL vs Cisco static arp > > >Because you need apply a static arp in your routers i think that you have a >Cluster XL in Multicast-Mode, your switch may be doesn't support >multicast-mode. The ICMP TTL Count Exceeded appears because when a router >delivers a packet this is sending to Multicast destination, some switches (or >hubs) don't understand Multicast and they don't know where multicast mac >address is connected for these reason the switch send this packet to all ports >in the same VLAN, then this packet is recived for the CheckPoint Cluster and >the other Cisco router, with CheckPoint don't have problem because it know how >process the packet, but with Cisco router when recives the packet think that >this packet needs to be routed, then check his routing tables and if the >destination is the same Cluster XL then this packet is delivered to the same >Multicast address (remember that both cisco have the same static arp) >repeating this process until TTL reaches zero (For each recive an transmit the >same packet! ! >the TTL decreases). > > >You will need check if your switches support Multicast or change your mode to >Unicast (for this you will need delete the statics arps in your routers) > > >Regards > >Romey Valadez > >-----Mensaje original----- >De: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] nombre >de nl >Enviado el: Lunes, 06 de Junio de 2005 01:02 a.m. >Para: [email protected] >Asunto: [FW-1] Cluster XL vs Cisco static arp > > >Hi, > >I have problem with implementation Cluster XL R55 and two Cisco routers >(HSRP). >Our company has two connections to ISP -> two CISCO router 2801 + 4esw switch >card. Before, when only one connection was designed (and one router) all works >fine. It was static arp entry for Cluster XL MAC on the router. >But now, when two routers are designed (HSRP) I cannot add static arp on both >routers. If it is added only on one of them, all works fine, but if I set up >static arp entry on both routers then traffic looks like "crazy": >-upstream is bigger like downstream (normally upstream is max 10% of >downstream) >-there is a lot of error messages in CP FW: ICMP: Source-Cluster XL IP, >Dst-Cluster XP IP, Echo request :message_info: cluster member IP is being >spoofed >-there is a lot of error messages in CP FW: ICMP: Time-To-Live Count Exceeded >-I have tu tell that some traffic passing through the FWs and routers but its >very strange to explain this. >So now I have static arp entry only on one router, but this router is now >critical-> If the router is down - internet connection is down too. > >Can somebody help me with this issue? > >thanx > > > > > > > > > >Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. >http://mail.atlas.sk > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= Aktivujte si aj vy schranku s neobmedzenou kapacitou na ATLAS.SK. http://mail.atlas.sk ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
