This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DPB_Point
Contributor
Contributor
‎2019-04-06 06:01 AM

Active/Active VSX Cluster for multibridge

Hello team!

 

I have a VSX Cluster and, by design, we need to configure multibridge. According Checkpoint VSX Guide:

Multi Bridges

This feature is supported only in R77.30 and higher, for VSX Gateways, and VSX clusters in Active/Active Bridge mode.

Configuring Clusters for Active/Active Bridge Mode

To enable the Active/Active Bridge mode for a cluster:

  1. Open SmartConsole.
  2. From the Network Objects tree, double-click the VSX Cluster object.

    The VSX Cluster Properties window opens.

  3. Select Other > VSX Bridge Configuration.
  4. Select Standard Layer-2 Loop Detection Protocols.

          802.1q • 802.1D • 802.1s • 802.1w • PVST+

 

As far as I know, this configuration design is not like Multicast/unicast Active/Active load sharing. I haven't found so much official info about traffic flow with this kind of configuration.

  • Do you have any experience with this deployments?
  • Could you provide me with more information about this type of deployment? 
  • Is there usually a common problem with the STP or any prior consideration necessary?

I understand that the SPT will block one of the two paths so that all the traffic passes through one  cluster member.

  • Is that active/active bridge mode behaviour?
  • What happens if one way STP is blocking member1 and in the other way the member2?

I explain, for multibridge we need active/active bridge mode and, with this mode, the VS inside de VSX cluster and the VSX cluster itself, will work in ClusterXl based on STP, not on CCP packets. With STP I see some problems.

  • With STP we have the convergence time in play, the ClusterXL CCP packets would no longer be used. When a member fail, the failover time will depend on the convergence time of the STP topology.
  • In other firewalls working with active/active (as checkpoint loadshare), asymmetric traffic is delivered to the cluster member that has the information of the connection. I do not know if checkpoint works like that with this active/active bridge STP design. How does traffic flow between members?
  • Ports in block state for STP: One of the two paths will be forwarding and the other one in block state. What can happen if the traffic from source to destination flows through one path and the return traffic from destination comes along other path through the other cluster member? Will be there any problems?

 

I don't know if I have clear ideas with this configuration so any help will be welcome. 

Thank you so much in advance!

2 Replies
_Val_
Admin
Admin
‎2019-04-08 06:59 AM

Hi,

 

do I understand correctly you want to run some VSs in a bridge mode and need this system to be in Active / Active state?

If so, you have expressed some valid concerns, but also made not 100% correct assumptions. CCP is still pretty much in play, for fault detections, cluster messaging and sync. However, indeed, STP decision is required to fall traffic back to the remaining member, if one of the VSs fails. It usually takes more time than ClusterXL failover. Mind STP decision is not done on VSX exclusively, but mostly on your adjacent network devices. 

Say, if you have something like: Switch/Router A <-> VSX cluster <-> Switch/Router B, switches will have to recalculate STP. One caveat here is about VSX starting. There is a period in time when the Bridge VS is UP on both sides, but STP is not yet calculated. That might cause a loop for up to STP conversion time. 

Some of my customers did experience that in production, and it is not smooth experience. 

I would strongly advise to consider ClusterXL HA mode, even for Bridge mode VSs.

DPB_Point
Contributor
Contributor
‎2019-04-09 01:48 AM
In response to _Val_

Thank you so much for the information and clarifications. The thing is that as we need multibridge is mandatory to configure active/active bridge mode. We will evaluate the options with the information provided.

 

Thanks again! 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events