This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
smohammed
Explorer
‎2021-11-05 01:30 PM

ISP Redundancy

Team,

we have a DMZ cluster on our active site and DR site has standalone. we are going to add DR site to the existing cluster

what we do today is if the active site ISP goes down we turn on the WAN/ISP/External interface on the DR site Standalone though which then our internet traffic works

ISP at both the locations is same and it provides same CIDR range at both locations for ex 123.123.123.128/29 at both locations and our ISP does not do active standby it is active and continuously pass traffic  so that's the reason we turn the interface down so that traffic duplication should not take place.

when we add DR site member to active site cluster we want all the interfaces to be up all the time and checkpoint do ISP redundance and make one ISP standby and one ACTIVE

what I thought is having all the members external interface connected to switch and then ISP from both the locations connect to that switch as gateway is same for both the locations

i need help with best approach to do this

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-11-07 06:47 PM

I'm curious how the ISP knows to route traffic to one location versus the other if both sites have the same block.
Seems like that could be solved by using Dynamic Routing or similiar.

smohammed
Explorer
‎2021-11-08 07:06 AM
In response to PhoneBoy

I am not sure what ISP is doing on their end. when you say Dynamic routing what do you suggest as an example.  currently on the default route on the members we have given gateway defined, can we define interface instead and does checkpoint has some feature to have active standby on the interface level

0 Kudos
PhoneBoy
Admin
Admin
‎2021-11-08 08:23 AM
In response to smohammed

If you define an interface as the default route (versus a specific IP address), that will mean an ARP entry will be required for every server you connect to on the Internet.
This will cause the ARP table to full up and was problematic even on my home network.
It would fail spectacularly in an enterprise environment.

Dynamic Routing means using BGP or OSPF, which if you're not using it already may not necessarily be an effective strategy.
You really need to find out what the ISP is doing here.
That said, if it's just a matter of using a different next hop for the default route, you can set two of them and configure different priorities and a monitored address for each one.

Screen Shot 2021-11-08 at 8.19.59 AM.png

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events