Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Checkpoint FW1 High Availability mode and Cisco switches.

Reply
Thread Tools

Checkpoint FW1 High Availability mode and Cisco switches.

 
 
PJML
Guest
Posts: n/a
 
      01-20-2004
Anyone out there using Checkpoint Firewall-1 in "High
Availability new Mode" connected to a Cisco 2948G-L3
switch?

This involves multicast MAC-addresses and is something
that I'm not too sure about. Plan is to define 2 ports
on the 2948G-L3 to connect to the redundant pair of
firewalls, with a dedicated Ethernet crossover-cable
between the 2 firewalls so they can communicate between
each other, then define the 2 ports on the 2948 as
members of a VLAN. The idea is that the 2948 fires
packets at the multicast MAC-address defined for the
two interfaces on the two firewalls, and whichever
one is the active member at the time handles it, the
standby member ignores the packet....

-PeteL.

 
Reply With Quote
 
 
 
 
Alan Strassberg
Guest
Posts: n/a
 
      01-20-2004
In article <400d5705$(E-Mail Removed)>, PJML <(E-Mail Removed)> wrote:
>Anyone out there using Checkpoint Firewall-1 in "High
>Availability new Mode" connected to a Cisco 2948G-L3
>switch?
>
>This involves multicast MAC-addresses and is something
>that I'm not too sure about. Plan is to define 2 ports
>on the 2948G-L3 to connect to the redundant pair of
>firewalls, with a dedicated Ethernet crossover-cable
>between the 2 firewalls so they can communicate between
>each other, then define the 2 ports on the 2948 as
>members of a VLAN. The idea is that the 2948 fires
>packets at the multicast MAC-address defined for the
>two interfaces on the two firewalls, and whichever
>one is the active member at the time handles it, the
>standby member ignores the packet....


We use Stonebeat which is a multicast based failover
(probably the same as Checkpoint) with multiple switches
for HA. You need to setup the destination MAC addresses
on the switch like so (Cisco 3500 example) :

mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet 0/1 FastEthernet 0/2

These docs below explain better (watch the wrap).
And just VLAN each 'net (DMZ, service rails, choke net, etc).
Do not allow routing between VLANs, force traffic thru firewall.

3500/2900 switches
ftp://download.stonesoft.com/web/Sup...NSwitches3.pdf

2948G switches
ftp://download.stonesoft.com/web/Sup...NSwitches2.pdf

alan
 
Reply With Quote
 
 
 
 
Matthew Melbourne
Guest
Posts: n/a
 
      01-20-2004
In article <bujrkq$c35$(E-Mail Removed)>,
Alan Strassberg <(E-Mail Removed)> wrote:

> We use Stonebeat which is a multicast based failover (probably the
> same as Checkpoint) with multiple switches for HA. You need to setup
> the destination MAC addresses on the switch like so (Cisco 3500
> example) :
>
> mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet
> 0/1 FastEthernet 0/2
>
> These docs below explain better (watch the wrap). And just VLAN each
> 'net (DMZ, service rails, choke net, etc). Do not allow routing between
> VLANs, force traffic thru firewall.
>
> 3500/2900 switches
> ftp://download.stonesoft.com/web/Sup...al%20Notes/SGS
> -TECNSwitches3.pdf


I have two 'external' switches (one VLAN), but connected via a
port-channel, presumably I could take a similar approach to constrain the
L2 multicast traffic between two Nokia IP530s?

Cheers,

Matt

--
Matthew Melbourne
 
Reply With Quote
 
Alan Strassberg
Guest
Posts: n/a
 
      01-20-2004
In article <(E-Mail Removed)>,
Matthew Melbourne <(E-Mail Removed)> wrote:
>In article <bujrkq$c35$(E-Mail Removed)>,
> Alan Strassberg <(E-Mail Removed)> wrote:
>
>> We use Stonebeat which is a multicast based failover (probably the
>> same as Checkpoint) with multiple switches for HA. You need to setup

[...]

>I have two 'external' switches (one VLAN), but connected via a
>port-channel, presumably I could take a similar approach to constrain the
>L2 multicast traffic between two Nokia IP530s?


Yep. Looking at a switch attached to a pair of active-active Nokias,
the switch config has the same "mac-address" stuff per the URL's
I posted.

This should help keep the multicast down. Actually I'm surprised
it's worked without it. This only makes sense for an active-active
setup.

alan
 
Reply With Quote
 
MC
Guest
Posts: n/a
 
      01-23-2004
Off topic, However I am using Stonebeat fullcluster 3.0 up grading to 3.5 on
a pair of SUN boxes with checkpoint NG.

I was looking at weather Checkpoints ClusterXL is any better, Worse or same
compared to Stonebeats Fullcluster product as in reliabliltiy and
performance.

I am using Nortel switches on the LAN connections and had a time getiing the
multicast to work correctly but so far everthing works great without any
problems.

Now I am also thinking of maybe using Cisco switches instead of nortel
since we are using cisco routers and thought since upgrading I would look at
the cluster part.

Are you satisfied with stonebeat product, any thoughts?

How are cisco switches working with the multicasting ?

One other issue I am looking at is trying to figure out if I can run
VRRP/HSRP between two cisco routers for LAN interface redundancy with the
firewalls also using multicasting. Anyone done this with checkpoint, either
clustering product?

Thanks,
MC


"Matthew Melbourne" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <bujrkq$c35$(E-Mail Removed)>,
> Alan Strassberg <(E-Mail Removed)> wrote:
>
> > We use Stonebeat which is a multicast based failover (probably the
> > same as Checkpoint) with multiple switches for HA. You need to setup
> > the destination MAC addresses on the switch like so (Cisco 3500
> > example) :
> >
> > mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet
> > 0/1 FastEthernet 0/2
> >
> > These docs below explain better (watch the wrap). And just VLAN each
> > 'net (DMZ, service rails, choke net, etc). Do not allow routing between
> > VLANs, force traffic thru firewall.
> >
> > 3500/2900 switches
> > ftp://download.stonesoft.com/web/Sup...al%20Notes/SGS
> > -TECNSwitches3.pdf

>
> I have two 'external' switches (one VLAN), but connected via a
> port-channel, presumably I could take a similar approach to constrain the
> L2 multicast traffic between two Nokia IP530s?
>
> Cheers,
>
> Matt
>
> --
> Matthew Melbourne



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CHDK NEWS: SD500 (IXUS700) fw1.01b Now Supported, 3 Extra F/Stops to f/11.0, Shutter Speeds to 1/64,000 Ron Anchors Digital Photography 3 12-06-2007 04:12 PM
Looking for Cisco and CheckPoint Consultants dreez Cisco 0 12-01-2006 06:36 AM
Switching RSA/ACE Server from FW1 to PIX BrianG Cisco 1 01-26-2004 06:16 PM
Cisco IPSEC VPN to CheckPoint firewall and linux server concern qazaka Cisco 0 10-09-2003 08:18 AM
Select Button In Datagrid not working (VS2003/FW1.1) Richard Adams ASP .Net Datagrid Control 3 07-18-2003 09:28 PM



Advertisments