(My mistake, WS-C2950-24 do not have 2 Gbit ports, only 24 100Base-Tx ports). (Doesn't have to do with th discussion anyway ;).
Alain > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of Delava Alain > Sent: mercredi 19 octobre 2005 15:05 > To: [email protected] > Subject: Re: [FW-1] Supported switch hardware for ClusterXL > > Hello list; > > I have exaclty the same question since I was planning to use > Cisco 2950 > switches (24 100-Tx + 2 1000-Tx) with Standard Image (ref. > WS-C2950-24) > for my R55+SPLAT+ClusterXL with load sharing multicast mode > platform... > > Does anyone has info about that ? The Cisco doc. does not mention any > info about multicast ARP support and behaviour > [http://www.cisco.com/en/US/products/hw/switches/ps628/product > s_data_she > et09186a00801cfb71.html]. > > Page 52 of Checkpoint's ClusterXL R55 guide suggests some hardware, > including "Cisco 2900" and also read in the mailing lists > archives that > > > On Jul 20, 2005, at 9:17 AM, Cassell,Damon Z. wrote: > > > >> [...] I've found that Cisco 2950 switches are > >> plug and play when it comes to multicast addresses and > ClusterXL. I'm > >> currently testing such a configuration. [...] > > but I'm not sure if this includes 2950 *with std image*... > > Thanks in advance, > -- > Alain DELAVA - alain/nospam/[EMAIL PROTECTED]/removeme/sys.be > Security & infrastructure consultant > TRASYS - "We are SUEZ" > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] On Behalf > > Of Edward Luck > > Sent: mercredi 14 septembre 2005 9:06 > > To: [email protected] > > Subject: Re: [FW-1] Supported switch hardware for ClusterXL > > > > The Catalyst 2970 most likely will work, however you may need > > to upgrade to > > the Enhanced IOS image to support static MAC entries for multicast > > addresses. As for the cheap switches, I'm not sure. It > > depends on a couple > > of things: > > 1. If they recognise multicast MAC addresses (They all start > > with 01-00-5e) > > 2. What they do with them! > > If the switch doesn't recognise or care about multicast MAC > > addresses, it > > may bind the MAC to one port and one port only, effectively > > breaking load > > balancing. If the switch *does* know about multicast MAC > > addresses, the only > > way it would work is if it treated those in the same way it > > treats the > > broadcast MAC address (ff-ff-ff-ff-ff), and forwards these to > > every switch > > port. Of course, this effectively makes the switch a hub, > > which you probably > > don't really want. > > Personally, I would save the potential disasters and go > straight to > > configurable switches such as the Cisco that can be *told* > > what to do, for > > every firewall interface. Here's a quick summary of > > everything you will need > > to do to make multicast load-sharing with ClusterXL work: > > On the Switches > > -------------------------------- > > mac address-table static 01:00:5e:xx:xx vlan XX interface > > fa1/0/XX fa1/0/XX > > (this lists both the ports that the firewall connects to) > > On any routers which the firewalls talk to: > > ------------------------------------------------------------- > > arp <Firewall Load Balanced IP Address> <Multicast MAC Address> arpa > > Do *not* stuff up the ARP address on the routers. I have > > been there, twice, > > at 2am for a big customer and the bizarre things that happen > > will blow your > > mind. None of these bizarre things point to you having > > stuffed the ARP entry > > on the router either, so you can chase your tail for days. > > Have fun, > > Ed Luck, GCFW (Hons) > > Senior Security Engineer > > Dimension Data Australia > > > > > > On 9/14/05, Meyers, Duncan <[EMAIL PROTECTED]> wrote: > > > > > > I am in the throes of setting up ClusterXL on two > > SecurePlatform boxes. I > > > went looking for a list of switches at Checkpoint's support > > site that will > > > support load sharing multicast mode - but that requires a > > support contract > > > :-( > > > > > > Can anyone tell me if a Cisco Cat 2970 will work? I suspect > > it will, but > > > no harm in checking... > > > > > > Also, will multicast mode work with somenthing like a > > Linksys SD208 or > > > Netgear FS608 (for the insecure side of the cluster)? The > > router to the 'net > > > is a Cisco 1841. Is this OK? > > > > > > > > > > > > Thanks, > > > > > > Duncan > > > > > > > > > > > > > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
