Ah, that works a bit better for me in the attached text file - I
might have to change my Mail.app settings a bit.
I would have each router connected to one switch only. Consider where
switch1 fails - that also means that the interface to routerA is
down, right? So HSRP won't be running on that interface. HSRP will
only be active on routerB, it will not be in use twice (or even if
routerA did think it was HSRP master, would it matter since the
interface is down? )
You are correct though, in thinking about the problem from the
Internet side of things - how does it know what router to send the
packets to? How will it know that switch1 is down? Basically the way
around this is dynamic routing. I would solve the problem with BGP.
This is much better than simply monitoring interface state, as it is
actually checking the complete TCP connection to the other router.
Since that side of things is managed by your ISP, I would recommend
you have a chat to them about it - they should be able to tell you
how things should work in the event of switch1 failing, and what they
have configured. It should be basic stuff for them.
Glad to be of some assistance. Someone else will poke their head into
the conversation sooner or later, especially if I tell you something
completely wrong ;-)
- Lindsay
On 28 Nov 2005, at 20:35, Delava Alain wrote:
Hello Lindsay,
First of all, thanks for your interresting comments... You're the only
one to answer on this topic on the list :)
As far as I understand this setup would require two interfaces per
router :
FW-nodeA----switch1------routerA
| \ /
| \ /
| \ /
| \/
| /\
| / \
| / \
FW-nodeB----switch2------routerB
(drawing attached in a text file just in case your mail client
wipes out
all spaces)
How do you deal with the fact that each router should nevertheless
have
only one real IP and one HSRP IP (when active) on two interfaces ?
With
a kind of layer-2 switch card in the router (an EtherSwitch Network
Module on Cisco)? With some teaming/bonding mechanism?
My problem is that the router part is provided by our ISP, hence a
monthly cost per interface + we cannot manage it ourselves...
I was thinking of this scenario :
- fw node A connected to switch A, router A connected to switch A
- fw node B connected to switch B, router B connected to switch B
- an a link (etherchannel for example) between the switches. The
drawing
would look like an "H"
but I think this could lead in an interresting problem : if one switch
fails (lets say switch A), the routers will not see each-other and
will
both think their colleague is down, leading to a situation where both
routers are active, with the HSRP address in use twice. Is this
possible?
Then depending on the WAN side config. it might cause problems....
Packets might arrive from the internet to router A even if router A
cannot communicate with the firewall nodes anymore (switch 1 is down,
remember).
If you have any comments or ideas... You're welcome :)
Kind regards,
Alain
-----Original Message-----
From: Lindsay Hill [mailto:[EMAIL PROTECTED]
Sent: Monday, November 28, 2005 8:24 PM
To: Delava Alain
Cc: Mailing list for discussion of Firewall-1
Subject: Re: [FW-1] R55 cluster XL and HSRP
Not quite sure if it's something to do with the way you've formatted
it, and the way my mail program displays it, but I'm not sure that
diagram is quite how I would do it. (Might be, could just be the way
it's come out).
I would have two firewalls, each connected to a separate external
switch. Then you could put a crossover cable between the
switches (or
two, with EtherChannel configured for a higher level of redundancy).
Then connect one router to each of the external switches.
Now let's go through some scenarios, assuming that the firewalls are
running in HA, with node A primary, and routerA is the HSRP master:
* Normally traffic will go through FW-nodeA -> switch1 ->
routerA. No
problem.
* If FW-nodeA fails, traffic will start going through FW-nodeB ->
switch2 -> switch1 -> routerA
* If switch1 fails, then clusterXL (you haven't mentioned what OS
you're running, let's assume SecurePlatform) should detect the
interface failure, and take FW-nodeA out of the cluster. FW-node-B
will now start processing traffic, and it will go out via switch2 ->
routerB. routerB will now be HSRP master, since routerA's interface
will be down. Not sure how you're tracking this with the WAN link to
the ISP though. I would presume BGP, which will deal with this
situation, if it's properly configured.
* any of FW-nodeB, switch-2 or routerB fail, traffic will be
unaffected.
Now think about some multiple failure scenarios - maybe fw-nodeA,
switch1, routerA are all running on one UPS, everything else is on
another UPS. If the power to fw-nodeA, switch1, routerA all failed,
no problem, everything swings over to the other side.
What if FW-nodeA failed, and then so did routerA (starting to get to
unlikely scenarios, but anyway)? Traffic would now go fw-nodeB,
switch2, routerB. No problem.
You're fine if any combination of router and firewall fails. You're
in trouble if two of any device fail, or if say fw-nodeA and
switch-2
fail - then things will stop. If it's that important, have a third
firewall/switch/router combination. Only you/your business
can decide
if it justifies the expense.
You could go down the link aggregation path with Nokia, if
you wanted
some more redundancy. If I was you though, I would think carefully
about likely scenarios, and think about whether you need the extra
reliability, and whether it's worth the added cost/complexity.
Just make sure all your stuff like interface tracking is set up
properly, and that your internal network also has redundant links to
the firewalls.
- Lindsay
On 28 Nov 2005, at 07:42, Delava Alain wrote:
Hi,
Thanks for your reply. So if I understand well you suggest
to use the
first diagram ? :
FW-nodeA------switch1------routerA
|
|
|
FW-nodeB------switch2------routerB
With only one interface per firewall node, and a default
route towards
the HSRP address ?
That was our first idea. (but we were looking for something more
redundant e.g. that could have supported a firewall node + a router
failure at the same time... Ok very unlikely to happen :)
Thanks,
Alain
-----Original Message-----
From: Lindsay Hill [mailto:[EMAIL PROTECTED]
Sent: Friday, November 25, 2005 9:00 PM
To: Delava Alain
Subject: Re: [FW-1] R55 cluster XL and HSRP
Some thoughts:
You don't need to go down the ISP dual routing path. The
switches in
the diagram below should have a crossover cable (or two) between
them, and your default route on the firewalls will go to the HSRP
address. You don't need to do any bonding or teaming. Just join the
switches together, assign real and virtual addresses to the
firewall,
and default route out to the Internet. The routers should have a
route to your network pointing to the virtual IP of the firewall.
It's pretty straightforward. It's pretty common to point a route at
an HSRP address.
I haven't used clustering much, I prefer VRRP. However the
underlying
basics are pretty much the same, so feel free to email if
you've got
any questions
- Lindsay
On 25 Nov 2005, at 08:44, Delava Alain wrote:
Hi there,
I have a little "design" question. We are in the process of
designing an
internet firewall cluster with NG R55, Cluster XL with
load sharing
multicast mode.
On the ISP side, there is a redundant connexion but as it
is a single
ISP, they provide two Cisco routers with HSRP (basically, active/
passive
system with a virtual IP). So, logically it's a single internet
connexion with a single default route / router vIP.
Has anyone ever played with HSRP and such an NG cluster ?
One of the questions is how to physically connect the
firewalls to the
routers, the second question is about layer 2... On layer 3
I think /
hope there is no problem, provided we use the same multicast arp
static
table on both routers, the virtual IPs of the firewall and
of the hsrp
will not cause any problem.
Is this kind of setup realistic :
FW-nodeA------switch1------routerA
|
|
|
FW-nodeB------switch2------routerB
This is obviously not perfect and this setup could be better if
supported :
FW-nodeA----switch1------routerA
\ /
\/
/\
/ \
FW-nodeB----switch2------routerB
Howerver as all IPs (firewall nodes, fw cluster vIP, router
interfaces,
routeur vIP/HSRP_IP) have to be in the same interconnection
subnet, I
guess the second schema is not feasible without NIC
bonding/teaming
(that is : two physical NICs are considered as one
network interface
with 1 IP)... and, correct me if I am wrong, Check Point NG
nor NGX do
not support bonding/teaming...
Well, any thoughs about all this stuff are welcome.
However it is a
priori not possible for us to use NGX and its routing/dualISP
facilities
(due to project constraints).
Thanks,
Alain
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
<fwscenario.txt>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
