Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Sizing Check Point appliances for Core Router roles

I have a few clients looking to implement Check Point HA clusters as their core routers with security overlays and am interested in getting your input on how to best assess the existing traffic volume to properly size the appliances for these projects.

Presently, the throughput limitations are the back-plane routing capacity of the L3 switches.

What I am essentially trying to achieve is to quantify combined inter-VLAN routing throughput of the switches, and would like to hear your take on how to achieve that.

Thank you,

Vladimir 

4 Replies
PhoneBoy
Admin
Admin

You'd have to query the switches to find out the throughput they are undergoing.

From that you can put the bandwidth numbers and required blades into the Appliance Sizing Tool, at least as a starting point.

But, I would be careful replacing a "Core Router" with a "Core Firewall" as it creates a single point of failure in the environment. 

I would use different firewalls depending on the tolerance for outages, throughput requirements, governance, segmentation, etc. 

From there, you can come up with a design that meets the performance and security requirements.

0 Kudos
Vladimir
Champion
Champion

Conceptually, core router HA and firewall in the same role represent same single point of failure.

Admittedly, the router, being relatively simple is not as likely to suffer downtime or impact overall network performance as the Check Point Cluster under load.

This being said, unless clients are willing to go the route of multiple standard clusters or VSX HA, there is little else that could be done.

So I am looking for the ways to measure the inter VLAN throughput of the Cisco cluster for sizing, but am not sure how to get those metrics from the switches.

G_W_Albrecht
Legend
Legend

Maybe ask the Cisco UG ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
Vladimir
Champion
Champion

Thanks Gunther. This ship has already sailed, but the answer was "it could not be done on these switches, you have to upgrade to the model such and such to be able to do so".

Needless to say, that did not happen. So we've ended-up doing the measurements by eye after graphing utilization of individual ports and VLANs in PRTG.

Now they are a proud owners of high performance 15400s, which were collecting dust over the summer.

I'll be doing the implementation by the end of this month with gradual migration of the networks to it and let you know how it'll work out.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events