Hello Lindsay,
First of all, thanks for your interresting comments... You're the only
one to answer on this topic on the list :)
As far as I understand this setup would require two interfaces per
router :
FW-nodeA----switch1------routerA
| \ /
| \ /
| \ /
| \/
| /\
| / \
| / \
FW-nodeB----switch2------routerB
(drawing attached in a text file just in case your mail client wipes out
all spaces)
How do you deal with the fact that each router should nevertheless have
only one real IP and one HSRP IP (when active) on two interfaces ? With
a kind of layer-2 switch card in the router (an EtherSwitch Network
Module on Cisco)? With some teaming/bonding mechanism?
My problem is that the router part is provided by our ISP, hence a
monthly cost per interface + we cannot manage it ourselves...
I was thinking of this scenario :
- fw node A connected to switch A, router A connected to switch A
- fw node B connected to switch B, router B connected to switch B
- an a link (etherchannel for example) between the switches. The drawing
would look like an "H"
but I think this could lead in an interresting problem : if one switch
fails (lets say switch A), the routers will not see each-other and will
both think their colleague is down, leading to a situation where both
routers are active, with the HSRP address in use twice. Is this
possible?
Then depending on the WAN side config. it might cause problems....
Packets might arrive from the internet to router A even if router A
cannot communicate with the firewall nodes anymore (switch 1 is down,
remember).
If you have any comments or ideas... You're welcome :)
Kind regards,
Alain
> -----Original Message-----
> From: Lindsay Hill [mailto:[EMAIL PROTECTED]
> Sent: Monday, November 28, 2005 8:24 PM
> To: Delava Alain
> Cc: Mailing list for discussion of Firewall-1
> Subject: Re: [FW-1] R55 cluster XL and HSRP
>
> Not quite sure if it's something to do with the way you've formatted
> it, and the way my mail program displays it, but I'm not sure that
> diagram is quite how I would do it. (Might be, could just be the way
> it's come out).
>
> I would have two firewalls, each connected to a separate external
> switch. Then you could put a crossover cable between the
> switches (or
> two, with EtherChannel configured for a higher level of redundancy).
> Then connect one router to each of the external switches.
>
> Now let's go through some scenarios, assuming that the firewalls are
> running in HA, with node A primary, and routerA is the HSRP master:
>
> * Normally traffic will go through FW-nodeA -> switch1 ->
> routerA. No
> problem.
>
> * If FW-nodeA fails, traffic will start going through FW-nodeB ->
> switch2 -> switch1 -> routerA
>
> * If switch1 fails, then clusterXL (you haven't mentioned what OS
> you're running, let's assume SecurePlatform) should detect the
> interface failure, and take FW-nodeA out of the cluster. FW-node-B
> will now start processing traffic, and it will go out via switch2 ->
> routerB. routerB will now be HSRP master, since routerA's interface
> will be down. Not sure how you're tracking this with the WAN link to
> the ISP though. I would presume BGP, which will deal with this
> situation, if it's properly configured.
>
> * any of FW-nodeB, switch-2 or routerB fail, traffic will be
> unaffected.
>
> Now think about some multiple failure scenarios - maybe fw-nodeA,
> switch1, routerA are all running on one UPS, everything else is on
> another UPS. If the power to fw-nodeA, switch1, routerA all failed,
> no problem, everything swings over to the other side.
>
> What if FW-nodeA failed, and then so did routerA (starting to get to
> unlikely scenarios, but anyway)? Traffic would now go fw-nodeB,
> switch2, routerB. No problem.
>
> You're fine if any combination of router and firewall fails. You're
> in trouble if two of any device fail, or if say fw-nodeA and
> switch-2
> fail - then things will stop. If it's that important, have a third
> firewall/switch/router combination. Only you/your business
> can decide
> if it justifies the expense.
>
> You could go down the link aggregation path with Nokia, if
> you wanted
> some more redundancy. If I was you though, I would think carefully
> about likely scenarios, and think about whether you need the extra
> reliability, and whether it's worth the added cost/complexity.
>
> Just make sure all your stuff like interface tracking is set up
> properly, and that your internal network also has redundant links to
> the firewalls.
>
> - Lindsay
>
>
> On 28 Nov 2005, at 07:42, Delava Alain wrote:
>
> > Hi,
> > Thanks for your reply. So if I understand well you suggest
> to use the
> > first diagram ? :
> >
> > FW-nodeA------switch1------routerA
> > |
> > |
> > |
> > FW-nodeB------switch2------routerB
> >
> > With only one interface per firewall node, and a default
> route towards
> > the HSRP address ?
> >
> > That was our first idea. (but we were looking for something more
> > redundant e.g. that could have supported a firewall node + a router
> > failure at the same time... Ok very unlikely to happen :)
> >
> > Thanks,
> > Alain
> >
> >> -----Original Message-----
> >> From: Lindsay Hill [mailto:[EMAIL PROTECTED]
> >> Sent: Friday, November 25, 2005 9:00 PM
> >> To: Delava Alain
> >> Subject: Re: [FW-1] R55 cluster XL and HSRP
> >>
> >> Some thoughts:
> >>
> >> You don't need to go down the ISP dual routing path. The
> switches in
> >> the diagram below should have a crossover cable (or two) between
> >> them, and your default route on the firewalls will go to the HSRP
> >> address. You don't need to do any bonding or teaming. Just join the
> >> switches together, assign real and virtual addresses to the
> >> firewall,
> >> and default route out to the Internet. The routers should have a
> >> route to your network pointing to the virtual IP of the firewall.
> >> It's pretty straightforward. It's pretty common to point a route at
> >> an HSRP address.
> >>
> >> I haven't used clustering much, I prefer VRRP. However the
> >> underlying
> >> basics are pretty much the same, so feel free to email if
> you've got
> >> any questions
> >>
> >> - Lindsay
> >>
> >>
> >> On 25 Nov 2005, at 08:44, Delava Alain wrote:
> >>
> >>> Hi there,
> >>>
> >>> I have a little "design" question. We are in the process of
> >>> designing an
> >>> internet firewall cluster with NG R55, Cluster XL with
> load sharing
> >>> multicast mode.
> >>>
> >>> On the ISP side, there is a redundant connexion but as it
> >> is a single
> >>> ISP, they provide two Cisco routers with HSRP (basically, active/
> >>> passive
> >>> system with a virtual IP). So, logically it's a single internet
> >>> connexion with a single default route / router vIP.
> >>>
> >>> Has anyone ever played with HSRP and such an NG cluster ?
> >>>
> >>> One of the questions is how to physically connect the
> >> firewalls to the
> >>> routers, the second question is about layer 2... On layer 3
> >> I think /
> >>> hope there is no problem, provided we use the same multicast arp
> >>> static
> >>> table on both routers, the virtual IPs of the firewall and
> >> of the hsrp
> >>> will not cause any problem.
> >>>
> >>> Is this kind of setup realistic :
> >>>
> >>>
> >>> FW-nodeA------switch1------routerA
> >>> |
> >>> |
> >>> |
> >>> FW-nodeB------switch2------routerB
> >>>
> >>>
> >>> This is obviously not perfect and this setup could be better if
> >>> supported :
> >>>
> >>>
> >>> FW-nodeA----switch1------routerA
> >>> \ /
> >>> \/
> >>> /\
> >>> / \
> >>> FW-nodeB----switch2------routerB
> >>>
> >>> Howerver as all IPs (firewall nodes, fw cluster vIP, router
> >>> interfaces,
> >>> routeur vIP/HSRP_IP) have to be in the same interconnection
> >> subnet, I
> >>> guess the second schema is not feasible without NIC
> bonding/teaming
> >>> (that is : two physical NICs are considered as one
> network interface
> >>> with 1 IP)... and, correct me if I am wrong, Check Point NG
> >> nor NGX do
> >>> not support bonding/teaming...
> >>>
> >>> Well, any thoughs about all this stuff are welcome.
> However it is a
> >>> priori not possible for us to use NGX and its routing/dualISP
> >>> facilities
> >>> (due to project constraints).
> >>>
> >>> Thanks,
> >>> Alain
> >>>
> >>> =================================================
> >>> To set vacation, Out-Of-Office, or away messages,
> >>> send an email to [EMAIL PROTECTED]
> >>> in the BODY of the email add:
> >>> set fw-1-mailinglist nomail
> >>> =================================================
> >>> To unsubscribe from this mailing list,
> >>> please see the instructions at
> >>> http://www.checkpoint.com/services/mailing.html
> >>> =================================================
> >>> If you have any questions on how to change your
> >>> subscription options, email
> >>> [EMAIL PROTECTED]
> >>> =================================================
> >>
> >>
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
FW-nodeA----switch1------routerA
| \ /
| \ /
| \ /
| \/
| /\
| / \
| / \
FW-nodeB----switch2------routerB
