This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
2 weeks ago
Jump to solution

Setting up ClusterXL in different DCs

Hey everyone,

Is it possible to set up a ClusterXL when both members are going to be located in different geographically separated data centers?

My question is how this works in terms of IP addressing, knowing that both sites will have different ISPs and therefore different public IP address blocks.

In such an environment, is it possible to set up ClusterXL?

Because I assume that a VIP is needed for the external part, but in this scenario I have doubts about how the deployment would be done and whether it would actually be possible.

Thank you for your comments

0 Kudos
3 Solutions

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
Jump to solution

For best results, a ClusterXL cluster must share layer 2 spaces on every interface. So for situations like yours it's better to have a separate internet routing layer handle your two ISPs that can then integrate with the gateway cluster via a shared switching layer. This way internet failover is handled separately to firewall failover. 

An alternative is the Active-Active option outlined in the ClusterXL admin guide, where all interfaces are independent layer 3 scenarios and traffic path selection is handled at a routing layer, which functionally means you need dynamic routing happening at every interface. There are limitations here outlined in the admin guide to take careful note of.

View solution in original post

0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Sounds like this would apply?

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ClusterXL_AdminGuide/Content/Topic...

Best,
Andy

View solution in original post

0 Kudos
Vincent_Bacher
Leader Leader
Leader
2 weeks ago
Jump to solution

As mentioned earlier, this is generally not a problem at all.
For example, in my hometown we operate a cluster across two data centers that are about 20 km apart.

The important requirement is (as already stated as well) to use stretched Layer-2 networks (stretched VLANs) so that the same VLAN IDs are available in both data centers.

In the sync VLAN, latency between both cluster nodes must remain below 100 ms to ensure reliable state/session synchronization.

Because a stretched VLAN is used, the internet routers also have an internal interface in the same VLAN.

We additionally run VSX with VSLS to distribute the virtual systems efficiently across both sites.

Everything else comes down to proper routing, both inside the LAN and towards the internet.

 
and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

View solution in original post

11 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
Jump to solution

For best results, a ClusterXL cluster must share layer 2 spaces on every interface. So for situations like yours it's better to have a separate internet routing layer handle your two ISPs that can then integrate with the gateway cluster via a shared switching layer. This way internet failover is handled separately to firewall failover. 

An alternative is the Active-Active option outlined in the ClusterXL admin guide, where all interfaces are independent layer 3 scenarios and traffic path selection is handled at a routing layer, which functionally means you need dynamic routing happening at every interface. There are limitations here outlined in the admin guide to take careful note of.

0 Kudos
Matlu
MVP Silver
MVP Silver
2 weeks ago
In response to emmap
Jump to solution

So far, I only have the comment that both sites will use "dark fiber" for communication.
My question is about the public (external) interface.
I understand from your comment that for scenarios like this, it is better to have the deployment mode set to ACTIVE-ACTIVE and use a separate ROUTING layer?

Is there a practical example that could help me better understand this point?

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to Matlu
Jump to solution

Active/Active isn't necessarily the better idea here, as it affects how every interface works. If you want it to be a more familiar layer 2 next hop redundancy situation then you're better off with the separated routing layer for the ISPs.

The way to think of the Active/Active situation is as if it is two entirely separate gateways that you want to manage with dynamic routing.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Sounds like this would apply?

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ClusterXL_AdminGuide/Content/Topic...

Best,
Andy
0 Kudos
Vincent_Bacher
Leader Leader
Leader
2 weeks ago
Jump to solution

As mentioned earlier, this is generally not a problem at all.
For example, in my hometown we operate a cluster across two data centers that are about 20 km apart.

The important requirement is (as already stated as well) to use stretched Layer-2 networks (stretched VLANs) so that the same VLAN IDs are available in both data centers.

In the sync VLAN, latency between both cluster nodes must remain below 100 ms to ensure reliable state/session synchronization.

Because a stretched VLAN is used, the internet routers also have an internal interface in the same VLAN.

We additionally run VSX with VSLS to distribute the virtual systems efficiently across both sites.

Everything else comes down to proper routing, both inside the LAN and towards the internet.

 
and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Matlu
MVP Silver
MVP Silver
2 weeks ago
In response to Vincent_Bacher
Jump to solution

Hello,
So, does this involve VXLAN?
I understand that it does, at least to achieve L2 connectivity.

I understand that having two different ISPs at each site is not a problem?

We are not going to use VSX; we simply want to use the traditional ClusterXL modes but in geographically distant areas.

0 Kudos
Vincent_Bacher
Leader Leader
Leader
2 weeks ago
In response to Matlu
Jump to solution

tbh i dunno. As both DC are at same provider, this is a service provided by them and we don't have to care, which technology they use. For us, it's just "stretched VLAN" 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
(1)
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Vincent_Bacher
Jump to solution

I LOVE that term...stretched VLAN lol

Best,
Andy
0 Kudos
Vincent_Bacher
Leader Leader
Leader
2 weeks ago
In response to the_rock
Jump to solution

I don't even know if there's an “official” term for it, and frankly, I don't care. The provider has a name for it. And I didn't remember that either. 🤔

I could also call it a chewing gum VLAN or a rubber band VLAN. Whatever. 🤣

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Vincent_Bacher
Jump to solution

Copilot agrees 🙂

Screenshot_1.png

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
a week ago
Jump to solution

Hey brother,

Just for a context, though we provided best options, happen to have basic network diagram?

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events