Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader
Jump to solution

Can I achieve below topology?

Hi All,

I have R81 cluster firewall and now the requirement came up to configure and terminate another MPLS link. However due to the interface connector constraint where the link is delivered is a 5Gb/s link and I do not have 10Gb/s NIC. Hence we decide the terminate the link on one firewall and keep that interface at private.

So my topology is

FW1

cluster :

VIP10.10.10.10

VIP 10.10.20.10

 

FW1 

eth0 10.10.10.20

eth1 10.10.20.20

Sync 10.10.30.20

eth2 10.10.40.20

 

Fw2

eth0 10.10.10.30

eth1 10.10.20.30

Sync 10.10.30.10

 

So on firewall 1 10.10.40.20 is a Private interface configured and my next router is 10.10.40.50 on which I need to configure the BGP peering. I noticed that my peering is not coming up. Can someone please confirm if this topology will work? I mean if the firewalls are in cluster and if I need to use one interface which is not a part of cluster; will it be able to route the traffic?

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Please refer sk116815, unfortunately such configuration is unsupported.

CCSM R77/R80/ELITE

View solution in original post

10 Replies
PhoneBoy
Admin
Admin

Did you mark eth2 as unmonitored/private in the cluster object?

0 Kudos
the_rock
Legend
Legend

I read your post and phoneboy brought up very good point. Eth2, based on what you wrote, would be marked as private (NON clustered) interface in this scenario, so to answer your question, yes, it would be possible.

0 Kudos
Oliver_Fink
Advisor
Advisor

As far as I understand the situation, interface eth2 will be able to route traffic as long as FW1 ist the active one. With FW2 active, the traffic from eth0 and eth1 will not reach eth2 on FW1.

0 Kudos
Blason_R
Leader
Leader

Hi Team,

 

I tested this scenario in my lab and unfortunately the BGP peering was not coming up at all on that non-monitored interface. I tried all the things but this not coming up. I then again for testing purpose created a cluster on that interface and it immediately came up. I guess once the cluster is defined checkpoint was not accepting a traffic on non-monitored interface. 

 

I removed the cluster from that interface and peering is lost for sure.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Oliver_Fink
Advisor
Advisor

You want to use this private interface for setting BGP routing for the cluster? I do not think it would work on a private interface. One question is: How should the other node get this routing information?

Or am I misunderstanding something completely?

0 Kudos
Blason_R
Leader
Leader

Yes - BGP peering is configured on private interface and peering was not coming up unless and until that interface is added as part of cluster. Other node is fine in case of failure - I can adjust on it and understood in case of failure traffic will not be failed over.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Please refer sk116815, unfortunately such configuration is unsupported.

CCSM R77/R80/ELITE
Oliver_Fink
Advisor
Advisor

That was what I expected. Thanks for the SK – which reads:

RouteD daemon does not allow the Dynamic Routing protocols to initialize on non-Cluster interfaces.

That makes some sense to me.

0 Kudos
Alex-
Leader Leader
Leader

You could use R81.10 which supports a loopback in ClusterXL for dynamic protocols.

 

What's New in R81.10

Clustering

  • Use a loopback interface with Dynamic Routing in ClusterXL environments.
0 Kudos
Sorin_Gogean
Advisor

Hello,

 

My 2 cents on the topic, since you don't have enough 10Gb ports on the cluster members, why aren't you using some Access switches (a cluster for redundancy) to extend the ports and create Vlans over bundled 10Gb members interfaces? 

Then you can terminate as many connections to the Access switch and you can overcome the limitations of the lack of ports. 

In our environment we have bundled two 10Gb towards the LAN side and two 10Gb towards the WAN side.

On the WAN bundle interface, we have subinterfaces/vlans used accordingly... 

 

Thank you,

PS: for redundancy/high availability, don't terminate things into single ports - my take here.....

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events