- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Check Point Clustering between two Datacenters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check Point Clustering between two Datacenters
Dear Mates
We are currently experiencing routing assymetry on our infrastructure, and we are trying to find possible solutions that could help us solve the problem.
I would like to know whether there is a limitation in terms of creating a Check Point cluster over two geographically separeted Datacenters (Few Kilometers away from each other). Is there any distance constraints?
If there is no a distance constraint, since the current version of GAIA we are using (R80.20) does not support Load-sharing, we do not intend to have 4 appliances in a cluster while only one is taking all the traffic.
Can Maestro be used in order to take advantage of the 4 appliances?
The rationale for this question is because we are thinking of turning the 4 Check Point Appliances into a single cluster.
Thanks in Advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the main question, answers can be found in Advanced Technical Reference Guide (ATRG) for ClusterXL R6x, R7x and R8x
Concerning Maestro - this currently only works using 6500, 6800 and 23800 appliances...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi G_W_Albrecht
Thanks for your help.
Looking at point 2.3 Restrictions on the recommended document it says: latency on synchronization network is less than ~30 milliseconds and packet loss is less than ~2-3%.
So there should be no problem as long as I can assure that this recommendation is met. Let´s say I have fiber cable that links both Datacenters.
Thanks once again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You‘re right. We too running a cluster over 15km distance on a darkfiber without problems.
With Maestro you can have your four appliance running as one system. But you too need more orchestrators and now there is no support for a long distance solution with Maestro. Will be available in the future.
And like G_W_Albrecht wrote, only a few appliance are supported by Maestro.
If you can more then one firewall instances running in your cluster, maybee VSX in VSLS is a solution for you.
Regards
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
However they all need to be at the same location as there is no multi room, nor multi site support at this moment.
We run multiple cluster spread across the country, for 20 to 120 KM apart, as long as the underlying network is properly supporting it, you should be just fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Maarten
Thanks for your help.
Would you kindly share which clustering mode are you using HA or Load-sharing?
The distance between our Datacenter is from 15Km to 55KM but we have 10G links between the sites.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In VSX we run VSLS on almost all our clusters, this allows us to evenly share the load while still allowing for enough power when a failover occurs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a quick question. When using VSX, does asymetric routing also applies to different VSX , or traffic from one VSX is also accepted by another VSX.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VSX is only useful when you can separate traffic streams over different virtual gateways. Each virtual gateway can reside on either of the physical boxes and is mostly used to make sure the traffic is taken care of on the site it is passing thru.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just one last question, How can check whether my firewall supports VSX (we are using 21000 series)? Do you need a special license in order to enable VSX?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A lot of people will tell you more than 1 but technically you can use vs0 as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Wolfgang
Thanks for your help.
Which clustering mode are you using HA or Load-Sharing?
I will read up on VSX.
Thanks once again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you got Layer 2 low-latency dark fiber in between DCs ?
if you do - CCP should fly across just fine as others mentioned.
regardless of the build, whether it is R77x, R80.xx - it will work as long as you've got proper layer 2 tunned and in relatively 1-10GB/s spanning.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jerry
We have 10G link between the Datacenters with an observed delay of 2 to 3ms.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jerry,
I think this isn't possible. Maestro does not support Multi-Site environment.
Have look at the Maestro FAQ sk147853:
How many orchestrators are supported in a cluster?
Currently, two orchestrators can work together. MultiSite support for 2x2 orchestrators is planned for a future release.
What throughput is needed between MHOs for sync?
MHO-170 requires a 40GB DAC cable or a 100GB DAC cable. MHO-140 requires a 10GB DAC cable.
regards
Wolfgang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maestro will support multi-site in a near future. Stay tuned