Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Checkpoint FW1 High Availability mode and Cisco switches. (http://www.velocityreviews.com/forums/t31671-checkpoint-fw1-high-availability-mode-and-cisco-switches.html)

PJML 01-20-2004 04:27 PM

Checkpoint FW1 High Availability mode and Cisco switches.
 
Anyone out there using Checkpoint Firewall-1 in "High
Availability new Mode" connected to a Cisco 2948G-L3
switch?

This involves multicast MAC-addresses and is something
that I'm not too sure about. Plan is to define 2 ports
on the 2948G-L3 to connect to the redundant pair of
firewalls, with a dedicated Ethernet crossover-cable
between the 2 firewalls so they can communicate between
each other, then define the 2 ports on the 2948 as
members of a VLAN. The idea is that the 2948 fires
packets at the multicast MAC-address defined for the
two interfaces on the two firewalls, and whichever
one is the active member at the time handles it, the
standby member ignores the packet....

-PeteL.


Alan Strassberg 01-20-2004 06:22 PM

Re: Checkpoint FW1 High Availability mode and Cisco switches.
 
In article <400d5705$1@news.nwl.ac.uk>, PJML <pjml@nerc.ac.uk.loopback> wrote:
>Anyone out there using Checkpoint Firewall-1 in "High
>Availability new Mode" connected to a Cisco 2948G-L3
>switch?
>
>This involves multicast MAC-addresses and is something
>that I'm not too sure about. Plan is to define 2 ports
>on the 2948G-L3 to connect to the redundant pair of
>firewalls, with a dedicated Ethernet crossover-cable
>between the 2 firewalls so they can communicate between
>each other, then define the 2 ports on the 2948 as
>members of a VLAN. The idea is that the 2948 fires
>packets at the multicast MAC-address defined for the
>two interfaces on the two firewalls, and whichever
>one is the active member at the time handles it, the
>standby member ignores the packet....


We use Stonebeat which is a multicast based failover
(probably the same as Checkpoint) with multiple switches
for HA. You need to setup the destination MAC addresses
on the switch like so (Cisco 3500 example) :

mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet 0/1 FastEthernet 0/2

These docs below explain better (watch the wrap).
And just VLAN each 'net (DMZ, service rails, choke net, etc).
Do not allow routing between VLANs, force traffic thru firewall.

3500/2900 switches
ftp://download.stonesoft.com/web/Sup...NSwitches3.pdf

2948G switches
ftp://download.stonesoft.com/web/Sup...NSwitches2.pdf

alan

Matthew Melbourne 01-20-2004 10:10 PM

Re: Checkpoint FW1 High Availability mode and Cisco switches.
 
In article <bujrkq$c35$1@internal.wj.com>,
Alan Strassberg <alan@internal.wj.com> wrote:

> We use Stonebeat which is a multicast based failover (probably the
> same as Checkpoint) with multiple switches for HA. You need to setup
> the destination MAC addresses on the switch like so (Cisco 3500
> example) :
>
> mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet
> 0/1 FastEthernet 0/2
>
> These docs below explain better (watch the wrap). And just VLAN each
> 'net (DMZ, service rails, choke net, etc). Do not allow routing between
> VLANs, force traffic thru firewall.
>
> 3500/2900 switches
> ftp://download.stonesoft.com/web/Sup...al%20Notes/SGS
> -TECNSwitches3.pdf


I have two 'external' switches (one VLAN), but connected via a
port-channel, presumably I could take a similar approach to constrain the
L2 multicast traffic between two Nokia IP530s?

Cheers,

Matt

--
Matthew Melbourne

Alan Strassberg 01-20-2004 11:31 PM

Re: Checkpoint FW1 High Availability mode and Cisco switches.
 
In article <4c73eea7dcmatt@n0spam.melbourne.org.uk>,
Matthew Melbourne <matt@n0spam.melbourne.org.uk> wrote:
>In article <bujrkq$c35$1@internal.wj.com>,
> Alan Strassberg <alan@internal.wj.com> wrote:
>
>> We use Stonebeat which is a multicast based failover (probably the
>> same as Checkpoint) with multiple switches for HA. You need to setup

[...]

>I have two 'external' switches (one VLAN), but connected via a
>port-channel, presumably I could take a similar approach to constrain the
>L2 multicast traffic between two Nokia IP530s?


Yep. Looking at a switch attached to a pair of active-active Nokias,
the switch config has the same "mac-address" stuff per the URL's
I posted.

This should help keep the multicast down. Actually I'm surprised
it's worked without it. This only makes sense for an active-active
setup.

alan

MC 01-23-2004 11:52 PM

Re: Checkpoint FW1 High Availability mode and Cisco switches.
 
Off topic, However I am using Stonebeat fullcluster 3.0 up grading to 3.5 on
a pair of SUN boxes with checkpoint NG.

I was looking at weather Checkpoints ClusterXL is any better, Worse or same
compared to Stonebeats Fullcluster product as in reliabliltiy and
performance.

I am using Nortel switches on the LAN connections and had a time getiing the
multicast to work correctly but so far everthing works great without any
problems.

Now I am also thinking of maybe using Cisco switches instead of nortel
since we are using cisco routers and thought since upgrading I would look at
the cluster part.

Are you satisfied with stonebeat product, any thoughts?

How are cisco switches working with the multicasting ?

One other issue I am looking at is trying to figure out if I can run
VRRP/HSRP between two cisco routers for LAN interface redundancy with the
firewalls also using multicasting. Anyone done this with checkpoint, either
clustering product?

Thanks,
MC


"Matthew Melbourne" <matt@n0spam.melbourne.org.uk> wrote in message
news:4c73eea7dcmatt@n0spam.melbourne.org.uk...
> In article <bujrkq$c35$1@internal.wj.com>,
> Alan Strassberg <alan@internal.wj.com> wrote:
>
> > We use Stonebeat which is a multicast based failover (probably the
> > same as Checkpoint) with multiple switches for HA. You need to setup
> > the destination MAC addresses on the switch like so (Cisco 3500
> > example) :
> >
> > mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet
> > 0/1 FastEthernet 0/2
> >
> > These docs below explain better (watch the wrap). And just VLAN each
> > 'net (DMZ, service rails, choke net, etc). Do not allow routing between
> > VLANs, force traffic thru firewall.
> >
> > 3500/2900 switches
> > ftp://download.stonesoft.com/web/Sup...al%20Notes/SGS
> > -TECNSwitches3.pdf

>
> I have two 'external' switches (one VLAN), but connected via a
> port-channel, presumably I could take a similar approach to constrain the
> L2 multicast traffic between two Nokia IP530s?
>
> Cheers,
>
> Matt
>
> --
> Matthew Melbourne





All times are GMT. The time now is 07:36 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.