topic Re: Can I achieve below topology? in General Topics

Can I achieve below topology?

Blason_R — Mon, 28 Nov 2022 17:51:07 GMT

Hi All,

I have R81 cluster firewall and now the requirement came up to configure and terminate another MPLS link. However due to the interface connector constraint where the link is delivered is a 5Gb/s link and I do not have 10Gb/s NIC. Hence we decide the terminate the link on one firewall and keep that interface at private.

So my topology is

FW1

cluster :

VIP10.10.10.10

VIP 10.10.20.10

FW1

eth0 10.10.10.20

eth1 10.10.20.20

Sync 10.10.30.20

eth2 10.10.40.20

Fw2

eth0 10.10.10.30

eth1 10.10.20.30

Sync 10.10.30.10

So on firewall 1 10.10.40.20 is a Private interface configured and my next router is 10.10.40.50 on which I need to configure the BGP peering. I noticed that my peering is not coming up. Can someone please confirm if this topology will work? I mean if the firewalls are in cluster and if I need to use one interface which is not a part of cluster; will it be able to route the traffic?

Re: Can I achieve below topology?

PhoneBoy — Tue, 29 Nov 2022 01:15:35 GMT

Did you mark eth2 as unmonitored/private in the cluster object?

Re: Can I achieve below topology?

the_rock — Tue, 29 Nov 2022 01:59:17 GMT

I read your post and phoneboy brought up very good point. Eth2, based on what you wrote, would be marked as private (NON clustered) interface in this scenario, so to answer your question, yes, it would be possible.

Re: Can I achieve below topology?

Oliver_Fink — Tue, 29 Nov 2022 08:37:57 GMT

As far as I understand the situation, interface eth2 will be able to route traffic as long as FW1 ist the active one. With FW2 active, the traffic from eth0 and eth1 will not reach eth2 on FW1.

Re: Can I achieve below topology?

Blason_R — Tue, 29 Nov 2022 08:42:52 GMT

Hi Team,

I tested this scenario in my lab and unfortunately the BGP peering was not coming up at all on that non-monitored interface. I tried all the things but this not coming up. I then again for testing purpose created a cluster on that interface and it immediately came up. I guess once the cluster is defined checkpoint was not accepting a traffic on non-monitored interface.

I removed the cluster from that interface and peering is lost for sure.

Re: Can I achieve below topology?

Oliver_Fink — Tue, 29 Nov 2022 09:00:24 GMT

You want to use this private interface for setting BGP routing for the cluster? I do not think it would work on a private interface. One question is: How should the other node get this routing information?

Or am I misunderstanding something completely?

Re: Can I achieve below topology?

Blason_R — Tue, 29 Nov 2022 09:35:12 GMT

Yes - BGP peering is configured on private interface and peering was not coming up unless and until that interface is added as part of cluster. Other node is fine in case of failure - I can adjust on it and understood in case of failure traffic will not be failed over.

Re: Can I achieve below topology?

Chris_Atkinson — Tue, 29 Nov 2022 09:50:51 GMT

Please refer sk116815, unfortunately such configuration is unsupported.

Re: Can I achieve below topology?

Oliver_Fink — Tue, 29 Nov 2022 10:27:59 GMT

That was what I expected. Thanks for the SK – which reads:

RouteD daemon does not allow the Dynamic Routing protocols to initialize on non-Cluster interfaces.

That makes some sense to me.

Re: Can I achieve below topology?

Alex- — Tue, 29 Nov 2022 10:56:39 GMT

You could use R81.10 which supports a loopback in ClusterXL for dynamic protocols.

What's New in R81.10

Clustering

Use a loopback interface with Dynamic Routing in ClusterXL environments.

Re: Can I achieve below topology?

Sorin_Gogean — Tue, 29 Nov 2022 13:51:21 GMT

Hello,

My 2 cents on the topic, since you don't have enough 10Gb ports on the cluster members, why aren't you using some Access switches (a cluster for redundancy) to extend the ports and create Vlans over bundled 10Gb members interfaces?

Then you can terminate as many connections to the Access switch and you can overcome the limitations of the lack of ports.

In our environment we have bundled two 10Gb towards the LAN side and two 10Gb towards the WAN side.

On the WAN bundle interface, we have subinterfaces/vlans used accordingly...

Thank you,

PS: for redundancy/high availability, don't terminate things into single ports - my take here.....