Checkpoint FW1 High Availability mode and Cisco switches.

Discussion in 'Cisco' started by PJML, Jan 20, 2004.

  1. PJML

    PJML Guest

    Anyone out there using Checkpoint Firewall-1 in "High
    Availability new Mode" connected to a Cisco 2948G-L3
    switch?

    This involves multicast MAC-addresses and is something
    that I'm not too sure about. Plan is to define 2 ports
    on the 2948G-L3 to connect to the redundant pair of
    firewalls, with a dedicated Ethernet crossover-cable
    between the 2 firewalls so they can communicate between
    each other, then define the 2 ports on the 2948 as
    members of a VLAN. The idea is that the 2948 fires
    packets at the multicast MAC-address defined for the
    two interfaces on the two firewalls, and whichever
    one is the active member at the time handles it, the
    standby member ignores the packet....

    -PeteL.
     
    PJML, Jan 20, 2004
    #1
    1. Advertising

  2. In article <400d5705$>, PJML <> wrote:
    >Anyone out there using Checkpoint Firewall-1 in "High
    >Availability new Mode" connected to a Cisco 2948G-L3
    >switch?
    >
    >This involves multicast MAC-addresses and is something
    >that I'm not too sure about. Plan is to define 2 ports
    >on the 2948G-L3 to connect to the redundant pair of
    >firewalls, with a dedicated Ethernet crossover-cable
    >between the 2 firewalls so they can communicate between
    >each other, then define the 2 ports on the 2948 as
    >members of a VLAN. The idea is that the 2948 fires
    >packets at the multicast MAC-address defined for the
    >two interfaces on the two firewalls, and whichever
    >one is the active member at the time handles it, the
    >standby member ignores the packet....


    We use Stonebeat which is a multicast based failover
    (probably the same as Checkpoint) with multiple switches
    for HA. You need to setup the destination MAC addresses
    on the switch like so (Cisco 3500 example) :

    mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet 0/1 FastEthernet 0/2

    These docs below explain better (watch the wrap).
    And just VLAN each 'net (DMZ, service rails, choke net, etc).
    Do not allow routing between VLANs, force traffic thru firewall.

    3500/2900 switches
    ftp://download.stonesoft.com/web/Support/StoneBeat/Technical Notes/SGSB-TECNSwitches3.pdf

    2948G switches
    ftp://download.stonesoft.com/web/Support/StoneBeat/Technical Notes/SGSB-TECNSwitches2.pdf

    alan
     
    Alan Strassberg, Jan 20, 2004
    #2
    1. Advertising

  3. In article <bujrkq$c35$>,
    Alan Strassberg <> wrote:

    > We use Stonebeat which is a multicast based failover (probably the
    > same as Checkpoint) with multiple switches for HA. You need to setup
    > the destination MAC addresses on the switch like so (Cisco 3500
    > example) :
    >
    > mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet
    > 0/1 FastEthernet 0/2
    >
    > These docs below explain better (watch the wrap). And just VLAN each
    > 'net (DMZ, service rails, choke net, etc). Do not allow routing between
    > VLANs, force traffic thru firewall.
    >
    > 3500/2900 switches
    > ftp://download.stonesoft.com/web/Support/StoneBeat/Technical Notes/SGS
    > -TECNSwitches3.pdf


    I have two 'external' switches (one VLAN), but connected via a
    port-channel, presumably I could take a similar approach to constrain the
    L2 multicast traffic between two Nokia IP530s?

    Cheers,

    Matt

    --
    Matthew Melbourne
     
    Matthew Melbourne, Jan 20, 2004
    #3
  4. In article <>,
    Matthew Melbourne <> wrote:
    >In article <bujrkq$c35$>,
    > Alan Strassberg <> wrote:
    >
    >> We use Stonebeat which is a multicast based failover (probably the
    >> same as Checkpoint) with multiple switches for HA. You need to setup

    [...]

    >I have two 'external' switches (one VLAN), but connected via a
    >port-channel, presumably I could take a similar approach to constrain the
    >L2 multicast traffic between two Nokia IP530s?


    Yep. Looking at a switch attached to a pair of active-active Nokias,
    the switch config has the same "mac-address" stuff per the URL's
    I posted.

    This should help keep the multicast down. Actually I'm surprised
    it's worked without it. This only makes sense for an active-active
    setup.

    alan
     
    Alan Strassberg, Jan 20, 2004
    #4
  5. PJML

    MC Guest

    Off topic, However I am using Stonebeat fullcluster 3.0 up grading to 3.5 on
    a pair of SUN boxes with checkpoint NG.

    I was looking at weather Checkpoints ClusterXL is any better, Worse or same
    compared to Stonebeats Fullcluster product as in reliabliltiy and
    performance.

    I am using Nortel switches on the LAN connections and had a time getiing the
    multicast to work correctly but so far everthing works great without any
    problems.

    Now I am also thinking of maybe using Cisco switches instead of nortel
    since we are using cisco routers and thought since upgrading I would look at
    the cluster part.

    Are you satisfied with stonebeat product, any thoughts?

    How are cisco switches working with the multicasting ?

    One other issue I am looking at is trying to figure out if I can run
    VRRP/HSRP between two cisco routers for LAN interface redundancy with the
    firewalls also using multicasting. Anyone done this with checkpoint, either
    clustering product?

    Thanks,
    MC


    "Matthew Melbourne" <> wrote in message
    news:...
    > In article <bujrkq$c35$>,
    > Alan Strassberg <> wrote:
    >
    > > We use Stonebeat which is a multicast based failover (probably the
    > > same as Checkpoint) with multiple switches for HA. You need to setup
    > > the destination MAC addresses on the switch like so (Cisco 3500
    > > example) :
    > >
    > > mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet
    > > 0/1 FastEthernet 0/2
    > >
    > > These docs below explain better (watch the wrap). And just VLAN each
    > > 'net (DMZ, service rails, choke net, etc). Do not allow routing between
    > > VLANs, force traffic thru firewall.
    > >
    > > 3500/2900 switches
    > > ftp://download.stonesoft.com/web/Support/StoneBeat/Technical Notes/SGS
    > > -TECNSwitches3.pdf

    >
    > I have two 'external' switches (one VLAN), but connected via a
    > port-channel, presumably I could take a similar approach to constrain the
    > L2 multicast traffic between two Nokia IP530s?
    >
    > Cheers,
    >
    > Matt
    >
    > --
    > Matthew Melbourne
     
    MC, Jan 23, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BrianG
    Replies:
    1
    Views:
    1,147
    Jason Kau
    Jan 26, 2004
  2. rcp
    Replies:
    0
    Views:
    462
  3. rcp
    Replies:
    5
    Views:
    1,060
    Vincent C Jones
    Jul 25, 2005
  4. Ron Anchors
    Replies:
    3
    Views:
    1,348
    Ron Anchors
    Dec 6, 2007
  5. Greg
    Replies:
    5
    Views:
    8,987
    Sarcasmus
    Jul 1, 2013
Loading...

Share This Page