topic Re: ISP REDUNDANCY CLUSTER problem interface. in General Topics

ISP REDUNDANCY CLUSTER problem interface.

wislley — Sun, 29 Mar 2020 02:08:58 GMT

Hello. I have a CLUSTER with two members using R80.10 (take 259). Each member has only one external interface. SG_01 is connected to an ISP via a /30 network and SG_02 is connected to another ISP via another /30 network. In NETWORK MANAGEMENT the external interface eth3 is as PRIVATE as shown.

When i add the links with the ISP, the external interface ETH3 does not appear in the INTERFACE option as shown.

What would be the best practice in this case?

Re: ISP REDUNDANCY CLUSTER problem interface.

Vladimir — Sun, 29 Mar 2020 02:25:37 GMT

I believe that for ISP redundancy to work, you have to introduce L2 switches in your infrastructure between cluster members and ISP routers. You then either have to have subnet larger then /30 to each ISP or use RFC1918 addresses with public IPs as vIPs for each ISP.

Bottom line is that both ISPs should be present on each cluster member if you are using ISP redundancy feature.

If someone knows the above statement to be inaccurate, please let me know.

Vladimir

Re: ISP REDUNDANCY CLUSTER problem interface.

Wolfgang — Sun, 29 Mar 2020 11:47:26 GMT

@Vladimir and @wislley ,

Vladimirs writing is absolutely correct. With ClusterXL you need all networks connected to both nodes. Only networks defined as private can be seperated on the nodes. But these networks can‘t failover between the nodes.

for the problem with the /30 subnets for your external ISP connections... You can use private IPs for the physical nodes and only one external IP for the virtual IP in the topology of your ISP connections. The private IP and the external IP don’t have to be on the same subnet.

Wolfgang

Re: ISP REDUNDANCY CLUSTER problem interface.

wislley — Mon, 30 Mar 2020 02:25:39 GMT

@Vladimir and @Wolfgang, thank you so much for taking the time to help me. As it is a study and test environment, i changed the ISP_01 and IPS_02 networks to /29 and added the external interfaces to the cluster. Everything working very well. I will use ADMIN GUIDE to see other configuration options, such as load balancing.

Re: ISP REDUNDANCY CLUSTER problem interface.

Vladimir — Mon, 30 Mar 2020 03:01:24 GMT

@wislley You are welcome.

Strictly from redundant systems design perspective, provided that the core (SW_PAINT_0) itself is a cluster, you may want to use two L2 switches between Check Point gateways and ISP routers, each connected to a single ISP but to both cluster members.

I've used, in the past builds, same pair of L2 switches for all cluster interconnects, outside, inside and in DMZs.

For the lab environment, it'll work perfectly well as depicted in your diagram.

Regards,

Vladimir