Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pim_Dimmedal
Participant

VSX: virtual switch/router?

I'm investigating the possibilities for our company to migrate to Check Point and use the VSX solution, but I'm having some difficulties understanding the best solution to use regarding virtual switches or routers.

I've attached a PDF of a possible solution where we migrate all our dedicated customer firewalls to one virtual systems per customer running on a dedicated firewall cluster.

All of our customers are placed within their own VLAN's and have traffic flowing into both directions (customer to internet and internet to customer, no traffic is needed between customers). I think I'm forced to use a vRouter on the LAN side because I need to do something with source-based routing to direct it towards the corresponding virtual system or are their possibilities using a vSwitch here?

For the WAN side I think I can use both solutions, vSwitch where we use our edge router to sent traffic to the corresponding virtual system, or a vRouter where traffic is directed by the vRouter towards the corresponding virtual system.

What are pros and cons of using vSwitches or vRouters and does anyone has suggestions which solution is feasible? 

0 Kudos
5 Replies
Maarten_Sjouw
Champion
Champion

First of all I would stay away from vRouter, as in your situation you will most probably want to use VSLS, where you can use multiple cluster members and share the load across them. On the internet side you would use a vSwitch, as you most probably will use 1 VLAN to hook the different customers to the Internet?

On the internal side you will need to use a trunk with a VLAN per customer to your router and hook each VLAN into each customers'  VRF.

At least that is how we do it. vSwitch is used whenever there is a need to use the same VLAN on more than one VS.

All other traffic, also DMZ's, are just connected via a VLAN directly to the VS.

To get back to the clustering, VSLS is Virtual System Load Sharing and allows you to define how the load will be shared, there are 3 options:

  1. automatic based on the weight you assign to each VS (default is 10)
  2. all on 1 box
  3. specific VS assigned to a physical box, so manual assignment

In all above options HA is still available, so when 1 box fails, the VS's will be moved over to the other member(s)

Next to that when you do have more than 2 members there are 3 states for each VS on each members, it can be

  1. active this is the member that is handling all traffic for that VS
  2. standby this is the member that is getting the state table updates and will take over when the active member fails
  3. backup. this is the member that is in cold standby, it will move to standby, if it is the only other member available or when it is the next in priority to become standby when the active fails.
Regards, Maarten
Pim_Dimmedal
Participant

The internet side makes perfectly sense to me. However preferably I want to get rid of all internal customer routers and use the Check Point firewall for internal routing, connect this to our LAN switch stack with all our servers attached. A vSwitch doens't work then  Are the vRouters that complicated to configure or are there other reasons to stay away from them?

I haven't looked into the VSLS yet, but this seems to be useful.

0 Kudos
Maarten_Sjouw
Champion
Champion

The problem with vRouter is that it cannot be used in conjunction with VSLS, when you have a provide type setup, as we do, each customer VRF is handed of into a VLAN and the MPLS routers take care of the rest.

The problem with customers is that their IP space will be prone to have overlaps, therefore you cannot mix their traffic and each customer will need their own routing. In the end that will end at the VS that will handle their traffic completely separated from all other customers' traffic.

Regards, Maarten
0 Kudos
Pim_Dimmedal
Participant

I'm not quite sure if I understand what you're saying. Our customers don't have overlaps in their IP-space, it is already segmented into vlans. We can easily give the Check Points their required IP's within these existing vlans.

You're mentioning "therefore you cannot mix their traffic and each customer will need their own routing. In the end that will end at the VS that will handle their traffic completely separated from all other customers' traffic": Is this the case in your setup or by using vRouters? What I want to achieve is a dedicated VS per customer so it's no issue for me that each customer/VS need their own routing.

VSLS is something I might find useful but ClusterXL should also work fine with 2 physical appliances.

0 Kudos
Maarten_Sjouw
Champion
Champion

When you already have each customer on a VLAN and you are able to get that VLAN to the associated VS there is no need for any vRouter.

I will just give the advice to use VSLS when you can, it is a improvement on top of ClusterXL and will allow you to set 1 box as the main box lets say at 80%, but it will also allow you to run both boxes at 40% by sharing the load.

Do keep in mind it is easy to set it up VSLS from the start, and when you see your load is growing you just add another meber and the load will be divided across all 3 member evenly.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events