-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 kazeka sho <[EMAIL PROTECTED]> wrote: > > I have 2 Nokias where I configured 3 interfaces on each appliance. 1 > for the and outside would be monitored where Nokia1 is the master and > thus Nokia2 the backup. I created another VRID (VRID2) for the same > interfaces and where Nokia2 is the master and Nokia1 the backup.
Actually you made that clear in your first post (or at least it was clear to me). > If I chose Nokia VRRP on the Checkpoint object, I think there would be > a problem since both Nokia will pass trafic and there would have some > drops. I am not following your reasoning here. You have explicitly set up both Nokias so that they will pass traffic, and then here you claim it will be a problem? If you don't think it will work, why are you setting it up this way? I believe the setup you described will work fine. The biggest problem would be if you cannot keep traffic preferrentially going to the correct gateway. That is, if Nokia1 forwards the traffic outbound, but Nokia2 for some reason receives the inbound replies for that traffic, there will be a big performance problem, because the sync process is not instantaneous. Nokia2 will take some time to validate reply traffic and so it will get dropped a lot. I will repeat what I said before: When Checkpoint is running on Nokia VRRP, it will always go into load-sharing mode, because it cannot figure out which gateway is going to see traffic. It does not know the state of the VRRP, so both gateways will accept and forward any traffic they happen to receive. The only problem is that the sync network cannot communicate changes instantly, as I described above. If you are certain that clients which prefer to forward through Nokia1 will always have their reply traffic returned via Nokia1, and ditto for Nokia2, then your scheme will work fine. I assume that would mean that you would NAT Nokia1's clients to Nokia1's VRRP IP, and Nokia2's clients to Nokia2's VRRP IP. That should do it. > And I would like to know what really happen if I made a get topology > with that kind of configuration. A "get topology" will only return the physical IP's of the gateways, and it will not see any VRRP. Be sure to double-check your anti-spoofing config in a complicated setup like this. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHrmlfFSrKRjX5eCoRAguOAKCFmQKEUSB/szmXdIxkVyjrtpOJZQCfTV8l dfoGP870wDm2GFPY5roNZOA= =4uJC -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
