Hi,
Thanks for your reply. So if I understand well you suggest to use the
first diagram ? :
FW-nodeA------switch1------routerA
|
|
|
FW-nodeB------switch2------routerB
With only one interface per firewall node, and a default route towards
the HSRP address ?
That was our first idea. (but we were looking for something more
redundant e.g. that could have supported a firewall node + a router
failure at the same time... Ok very unlikely to happen :)
Thanks,
Alain
> -----Original Message-----
> From: Lindsay Hill [mailto:[EMAIL PROTECTED]
> Sent: Friday, November 25, 2005 9:00 PM
> To: Delava Alain
> Subject: Re: [FW-1] R55 cluster XL and HSRP
>
> Some thoughts:
>
> You don't need to go down the ISP dual routing path. The switches in
> the diagram below should have a crossover cable (or two) between
> them, and your default route on the firewalls will go to the HSRP
> address. You don't need to do any bonding or teaming. Just join the
> switches together, assign real and virtual addresses to the
> firewall,
> and default route out to the Internet. The routers should have a
> route to your network pointing to the virtual IP of the firewall.
> It's pretty straightforward. It's pretty common to point a route at
> an HSRP address.
>
> I haven't used clustering much, I prefer VRRP. However the
> underlying
> basics are pretty much the same, so feel free to email if you've got
> any questions
>
> - Lindsay
>
>
> On 25 Nov 2005, at 08:44, Delava Alain wrote:
>
> > Hi there,
> >
> > I have a little "design" question. We are in the process of
> > designing an
> > internet firewall cluster with NG R55, Cluster XL with load sharing
> > multicast mode.
> >
> > On the ISP side, there is a redundant connexion but as it
> is a single
> > ISP, they provide two Cisco routers with HSRP (basically, active/
> > passive
> > system with a virtual IP). So, logically it's a single internet
> > connexion with a single default route / router vIP.
> >
> > Has anyone ever played with HSRP and such an NG cluster ?
> >
> > One of the questions is how to physically connect the
> firewalls to the
> > routers, the second question is about layer 2... On layer 3
> I think /
> > hope there is no problem, provided we use the same multicast arp
> > static
> > table on both routers, the virtual IPs of the firewall and
> of the hsrp
> > will not cause any problem.
> >
> > Is this kind of setup realistic :
> >
> >
> > FW-nodeA------switch1------routerA
> > |
> > |
> > |
> > FW-nodeB------switch2------routerB
> >
> >
> > This is obviously not perfect and this setup could be better if
> > supported :
> >
> >
> > FW-nodeA----switch1------routerA
> > \ /
> > \/
> > /\
> > / \
> > FW-nodeB----switch2------routerB
> >
> > Howerver as all IPs (firewall nodes, fw cluster vIP, router
> > interfaces,
> > routeur vIP/HSRP_IP) have to be in the same interconnection
> subnet, I
> > guess the second schema is not feasible without NIC bonding/teaming
> > (that is : two physical NICs are considered as one network interface
> > with 1 IP)... and, correct me if I am wrong, Check Point NG
> nor NGX do
> > not support bonding/teaming...
> >
> > Well, any thoughs about all this stuff are welcome. However it is a
> > priori not possible for us to use NGX and its routing/dualISP
> > facilities
> > (due to project constraints).
> >
> > Thanks,
> > Alain
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
