Hi there,
I have a little "design" question. We are in the process of designing an
internet firewall cluster with NG R55, Cluster XL with load sharing
multicast mode.
On the ISP side, there is a redundant connexion but as it is a single
ISP, they provide two Cisco routers with HSRP (basically, active/passive
system with a virtual IP). So, logically it's a single internet
connexion with a single default route / router vIP.
Has anyone ever played with HSRP and such an NG cluster ?
One of the questions is how to physically connect the firewalls to the
routers, the second question is about layer 2... On layer 3 I think /
hope there is no problem, provided we use the same multicast arp static
table on both routers, the virtual IPs of the firewall and of the hsrp
will not cause any problem.
Is this kind of setup realistic :
FW-nodeA------switch1------routerA
|
|
|
FW-nodeB------switch2------routerB
This is obviously not perfect and this setup could be better if
supported :
FW-nodeA----switch1------routerA
\ /
\/
/\
/ \
FW-nodeB----switch2------routerB
Howerver as all IPs (firewall nodes, fw cluster vIP, router interfaces,
routeur vIP/HSRP_IP) have to be in the same interconnection subnet, I
guess the second schema is not feasible without NIC bonding/teaming
(that is : two physical NICs are considered as one network interface
with 1 IP)... and, correct me if I am wrong, Check Point NG nor NGX do
not support bonding/teaming...
Well, any thoughs about all this stuff are welcome. However it is a
priori not possible for us to use NGX and its routing/dualISP facilities
(due to project constraints).
Thanks,
Alain
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
