Not quite sure if it's something to do with the way you've formatted
it, and the way my mail program displays it, but I'm not sure that
diagram is quite how I would do it. (Might be, could just be the way
it's come out).
I would have two firewalls, each connected to a separate external
switch. Then you could put a crossover cable between the switches (or
two, with EtherChannel configured for a higher level of redundancy).
Then connect one router to each of the external switches.
Now let's go through some scenarios, assuming that the firewalls are
running in HA, with node A primary, and routerA is the HSRP master:
* Normally traffic will go through FW-nodeA -> switch1 -> routerA. No
problem.
* If FW-nodeA fails, traffic will start going through FW-nodeB ->
switch2 -> switch1 -> routerA
* If switch1 fails, then clusterXL (you haven't mentioned what OS
you're running, let's assume SecurePlatform) should detect the
interface failure, and take FW-nodeA out of the cluster. FW-node-B
will now start processing traffic, and it will go out via switch2 ->
routerB. routerB will now be HSRP master, since routerA's interface
will be down. Not sure how you're tracking this with the WAN link to
the ISP though. I would presume BGP, which will deal with this
situation, if it's properly configured.
* any of FW-nodeB, switch-2 or routerB fail, traffic will be unaffected.
Now think about some multiple failure scenarios - maybe fw-nodeA,
switch1, routerA are all running on one UPS, everything else is on
another UPS. If the power to fw-nodeA, switch1, routerA all failed,
no problem, everything swings over to the other side.
What if FW-nodeA failed, and then so did routerA (starting to get to
unlikely scenarios, but anyway)? Traffic would now go fw-nodeB,
switch2, routerB. No problem.
You're fine if any combination of router and firewall fails. You're
in trouble if two of any device fail, or if say fw-nodeA and switch-2
fail - then things will stop. If it's that important, have a third
firewall/switch/router combination. Only you/your business can decide
if it justifies the expense.
You could go down the link aggregation path with Nokia, if you wanted
some more redundancy. If I was you though, I would think carefully
about likely scenarios, and think about whether you need the extra
reliability, and whether it's worth the added cost/complexity.
Just make sure all your stuff like interface tracking is set up
properly, and that your internal network also has redundant links to
the firewalls.
- Lindsay
On 28 Nov 2005, at 07:42, Delava Alain wrote:
Hi,
Thanks for your reply. So if I understand well you suggest to use the
first diagram ? :
FW-nodeA------switch1------routerA
|
|
|
FW-nodeB------switch2------routerB
With only one interface per firewall node, and a default route towards
the HSRP address ?
That was our first idea. (but we were looking for something more
redundant e.g. that could have supported a firewall node + a router
failure at the same time... Ok very unlikely to happen :)
Thanks,
Alain
-----Original Message-----
From: Lindsay Hill [mailto:[EMAIL PROTECTED]
Sent: Friday, November 25, 2005 9:00 PM
To: Delava Alain
Subject: Re: [FW-1] R55 cluster XL and HSRP
Some thoughts:
You don't need to go down the ISP dual routing path. The switches in
the diagram below should have a crossover cable (or two) between
them, and your default route on the firewalls will go to the HSRP
address. You don't need to do any bonding or teaming. Just join the
switches together, assign real and virtual addresses to the
firewall,
and default route out to the Internet. The routers should have a
route to your network pointing to the virtual IP of the firewall.
It's pretty straightforward. It's pretty common to point a route at
an HSRP address.
I haven't used clustering much, I prefer VRRP. However the
underlying
basics are pretty much the same, so feel free to email if you've got
any questions
- Lindsay
On 25 Nov 2005, at 08:44, Delava Alain wrote:
Hi there,
I have a little "design" question. We are in the process of
designing an
internet firewall cluster with NG R55, Cluster XL with load sharing
multicast mode.
On the ISP side, there is a redundant connexion but as it
is a single
ISP, they provide two Cisco routers with HSRP (basically, active/
passive
system with a virtual IP). So, logically it's a single internet
connexion with a single default route / router vIP.
Has anyone ever played with HSRP and such an NG cluster ?
One of the questions is how to physically connect the
firewalls to the
routers, the second question is about layer 2... On layer 3
I think /
hope there is no problem, provided we use the same multicast arp
static
table on both routers, the virtual IPs of the firewall and
of the hsrp
will not cause any problem.
Is this kind of setup realistic :
FW-nodeA------switch1------routerA
|
|
|
FW-nodeB------switch2------routerB
This is obviously not perfect and this setup could be better if
supported :
FW-nodeA----switch1------routerA
\ /
\/
/\
/ \
FW-nodeB----switch2------routerB
Howerver as all IPs (firewall nodes, fw cluster vIP, router
interfaces,
routeur vIP/HSRP_IP) have to be in the same interconnection
subnet, I
guess the second schema is not feasible without NIC bonding/teaming
(that is : two physical NICs are considered as one network interface
with 1 IP)... and, correct me if I am wrong, Check Point NG
nor NGX do
not support bonding/teaming...
Well, any thoughs about all this stuff are welcome. However it is a
priori not possible for us to use NGX and its routing/dualISP
facilities
(due to project constraints).
Thanks,
Alain
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
