This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
subrun_jamil
Participant
‎2022-01-19 01:23 PM

VRRP Design Question

Hello,

Looking for some design suggestion.

Here is the diagram should explain the scenario. In each FW I have 3 Interfaces, one is WAN and another 2 customer routes or Interfaces configured. 

P1 Interface has Multiple Sub interface. Each of them is /30 subnet and Over /30 remote IP , customer subnets are routed. 

Subnets Configured at P2 Port Sub Interface , is Connected Network. VRRP is configured on this Interfaces. It does not work but I am refreshing these 2 Current Firewall here I am Planning this VRRP to make it work. 

I hope I am able to explain my scenario. In this scenario when some subnets are routed over  P2P network and some are directly connected can I do Clustering ?

or I guess Clustering Considers Full Device right ? But wondering we can do clustering for Subinterfaces connected at P2 ONLY not for the Interfaces where over P2P Interface we routed some subnets. I do not think so still asking. 

Or else If I want to keep it same setup as Some are VRRP and Some are Routed and Redistributed to OSPF , with the connectivity shown will it work  ?

Labels
Preview file
96 KB
0 Kudos
6 Replies
Timothy_Hall
Champion
Champion
‎2022-01-20 06:41 AM

If you are employing VRRP to to perform Load Sharing (not balancing) between the members I'd say you'd be better off using the new Active-Active (NOT Load Sharing Unicast/Multicast) mode of ClusterXL introduced in R80.40.

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com
subrun_jamil
Participant
‎2022-01-25 05:50 AM
In response to Timothy_Hall

@Timothy_Hall Thanks for your reply.

My question is if you look at P1 Interface ( Bigger Subnet routed over P2P Sub Interfaces ) and P2 Has Connected Subnets. 

In this scenario, Can I do Clustering ? 

If it does not I can only try VRRP for connected subnets. 

What's the difference between Load Sharing and  balancing ?

Are you able to see the diagram i attached. ?

 

 

Logical_Current.jpg

0 Kudos
Chris_Atkinson
Employee
Employee
‎2022-01-25 06:33 AM
In response to subrun_jamil

If not all interfaces are clusterable I would move VRRP to the switches instead and use dynamic routing.

Routers / L3-switches likely have better integration between VRRP and dynamic routing protocols for particular route advertisement & failure scenarios.

0 Kudos
subrun_jamil
Participant
‎2022-01-26 11:57 AM
In response to Chris_Atkinson

If I move Networks to switch firewall filtering will not be possible right. thats why did not wanted to move vrrp to switches. What you think ?

0 Kudos
subrun_jamil
Participant
‎2022-01-26 12:11 PM
In response to subrun_jamil

And I should clarify that 2 FW are not at same site at 2 diff site in that case clustering does make sense ? on a shared WAN circuit ?

0 Kudos
Chris_Atkinson
Employee
Employee
‎2022-01-26 02:33 PM
In response to subrun_jamil

Apologies for not explaining fully.

You would likely also need to leverage VRFs here to seperate the VLANs at Layer-3 and force traffic via a transit interface to the FW to enforce inter-vlan segmentation, this may require a different/new license on some switch platforms.

0 Kudos
Related Topics
VRRP Design Question