Hello guys,
I know this is an old issue, however I found it while
browsing the archive. If you still need a solution for that, I've done it
with success. We have two geographically distant locations, both with
firewalls that need to be in sync with the other's respective state tables,
because of some routing issues we had. We didn't want to disable "drop out
of state packets", so what I did was to configure L2TPv3 tunnel (it has to
be v3) to transport an ethernet bridge over the wan. So, will have to count
on an ethernet port available on both firewalls for sync and also, Cisco
routers with an IOS that supports l2tpv3. Connect the sync interfaces of
both firewalls to their respective router and configure the l2 tunnel
between then. Note that the cisco's interface will have no ip address and
the firewall's sync interface will be on the same broadcast domain (same
lan), it's the same subnet. The l2tp tunnel will copy all raw packets
received at tunnel source interface and copy it to the other router
destination interface. All kind of traffic, even non-ip, can be transported
this way. Checkpoint sync protocol is proprietary and uses multicast
addresses, will not be able to route it over a L3 network, even if you
configure the proper multicast routing groups, however tunneling it over the
l2tp tunnel will work just fine. Also, I did not use ClusterXL licenses, but
configured OPSEC 3rd party sync on both sides.
Cisco's support for l2tpv3 on low and mid-end routers limits to
point-to-point only, i.e., you will be able to sync only a couple of
locations and if you have many firewalls at both sides, no problem, just
share the router's tunnel interface with a switch or vlan (non-routable). If
you need to sync many locations, as in a mesh topology, will have to look at
high-end 7200 or 12k series routers with provider code.
A last note is that sync requires a low latency, if you have
large pipes, no problems. For those who need a sample config for the
routers, drop-me a message.
Regards,
JF.
PS: i think the same can be done over VPLS for those of you that runs a MPLS
backbone.
On 6/26/06, Yinal OZKAN <[EMAIL PROTECTED]> wrote:
Hi Todd,
This must be the hot topic.
I received a very similar question from one of our clients today. (Can we
have multi-site Check
Point clusters over DWDM?)
Cluster definition is very subjective. But the common active-active
cluster types for Check Point
(e.g. cluster xl, IP clustering) usually require identical IP subnets on
member gateways (like HA
setups). In a multi-site cluster all segments of both members must share
L2 connectivity for a
true cluster.
Even if you have high speed L2 connectivity for sync networks, most of the
datacenters have a
separate IP addressing schema for redundant operations. Multi-site
multicast propagation and
latency issues must be addressed as well.
I would recommend 3rd party DNS based solutions for inbound connections.
(Where dynamic routing is
not an option like your env.) You may also check the link controller (ISP
sharing) scenarios for
outbound traffic.
You may also use Check Point MEP configuration for inbound VPN
connections.
You mention that multiple VLANs terminating on the external that will
bring lots of problems.
Check Point will treat those segments as external, and if you have VPN
connectivity you will have
really tough time. I would rather define the Extranet WAN side as internal
instead of multiple
external interfaces.
With NGX, route based VPNs and dynamic routes would be the remedy for your
status but as you have
stated it is not an option for you.
cheers,
- yinal ozkan
INTEGRALIS
p.s. if your questions are specific to single site active-active clusters,
we may elaborate more.
--- "Larson, Todd (LNG-DAY)" <[EMAIL PROTECTED]> wrote:
> I've been tasked with investigating an active/active gateway cluster,
> with one firewall at each location (not a pair). Currently, we have
> significant experience in deploying HA clusters, but little with
> Active/Active Clusters.
>
> I'm looking for insights and/or gotchas from those who traveled this
> road before I. A high-level overview of our infrastructure is this:
> Datacenters are connected via DWDM (big fast pipe) connecting the
> backend (i.e. Internal private networks). External networks, the
> cluster will front
> Secure Extranet WAN connections accessible from either datacenter.
>
> The firewalls will not participate in dynamic routing. The external side
> of
> the cluster will have multiple VLANS terminated on one interface (a
> design
> requirement).
>
> Any thoughts or advice would be much appreciated.
>
> Todd
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
