This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Enyi_Ajoku
Collaborator
‎2018-09-27 11:06 AM
Jump to solution

SYNC SET-UP

Hello Folks,

I have 2 Data Centers that are about to be built, consultant is recommending having 2 15400 in DC1 and another 2 in DC2. They intend to have VSX configured on both Data Centers, which we would be one cluster with four cluster members.

DC1 and DC2 are miles apart probably 50 miles apart. 

My question is with regards to VSX and sync interface on the 15400.

Consultant intends to take fiber interfaces on the 15400 and use them as SYNC Interfaces/Network. 

Can this be done?

Thank You

1 Solution

Accepted Solutions
Danny
MVP Platinum
MVP Platinum
‎2018-09-27 02:06 PM
Jump to solution

Some documents you might want to read regarding max. allowed latency (100ms) and packet loss rate (5%) on your sync network.

ClusterXL R80.10 (Part of Check Point Infinity) Administration Guide 

Synchronizing Connection Information Across the Cluster 

ClusterXL R77 Versions Administration Guide

View solution in original post

0 Kudos
7 Replies
JozkoMrkvicka
Authority
Authority
‎2018-09-27 11:27 AM
Jump to solution

The best would be to use fiber ports. Even better to create bond interface with 1G fibers.

As both nodes are 50 miles apart, switch-in-between needs to be used.

Kind regards,
Jozko Mrkvicka
0 Kudos
Enyi_Ajoku
Collaborator
‎2018-09-27 11:38 AM
Jump to solution

How do i configure bond for SYNC interface. I can't find this option in vsx_util?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-09-27 12:21 PM
In response to Enyi_Ajoku
Jump to solution

By using clish commands as is described in Gaia Administration Guide - Chapter "Network Management" - Network Interfaces - Bond Interfaces (Link Aggregation).

How to view details about the bond interface 

Sync Redundancy in ClusterXL 

Kind regards,
Jozko Mrkvicka
0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2018-09-27 02:06 PM
Jump to solution

Some documents you might want to read regarding max. allowed latency (100ms) and packet loss rate (5%) on your sync network.

ClusterXL R80.10 (Part of Check Point Infinity) Administration Guide 

Synchronizing Connection Information Across the Cluster 

ClusterXL R77 Versions Administration Guide

0 Kudos
Vladimir
Champion
Champion
‎2018-09-27 02:40 PM
Jump to solution

While it is not impossible, I question the reason behind this design.

Consider: you will not only have to use Sync between sites, but shuttle internal and external traffic as well, if the cluster is failing over to another site.

So you'll saturate the link with normal site-2-site traffic, sync and everything that normally traversing local VS's.

Depending on link or interface buffer saturation, sync may get deprioritized.

Can someone tell me if I'm off in my assumptions? 

0 Kudos
Colin_Campbell1
Contributor
‎2018-09-27 04:42 PM
Jump to solution

Hi,

As long as you have reliable layer 2 connectivity between the sites meeting the ClusterXL requirements for timeouts, rtt, packet loss etc, you should be fine. I was running a cluster with one member in LA and the other in Dallas, which is about 2000km.

Enyi_Ajoku
Collaborator
‎2018-09-30 02:49 PM
In response to Colin_Campbell1
Jump to solution

Yes i do, my layer 2 devices are fiber ports and the native sync port on the 15400 are Ethernet ports. Based on the test i've done and to my knowledge the only time this will works is in a fresh install. I tried to change or create a SYNC in my existing VSX infrastructure and that didnt work. But i could assign a different port when i tried it on my fresh out of the box 15400.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events