This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
subrun_jamil
Contributor
‎2022-01-19 01:23 PM

VRRP Design Question

Hello,

Looking for some design suggestion.

Here is the diagram should explain the scenario. In each FW I have 3 Interfaces, one is WAN and another 2 customer routes or Interfaces configured. 

P1 Interface has Multiple Sub interface. Each of them is /30 subnet and Over /30 remote IP , customer subnets are routed. 

Subnets Configured at P2 Port Sub Interface , is Connected Network. VRRP is configured on this Interfaces. It does not work but I am refreshing these 2 Current Firewall here I am Planning this VRRP to make it work. 

I hope I am able to explain my scenario. In this scenario when some subnets are routed over  P2P network and some are directly connected can I do Clustering ?

or I guess Clustering Considers Full Device right ? But wondering we can do clustering for Subinterfaces connected at P2 ONLY not for the Interfaces where over P2P Interface we routed some subnets. I do not think so still asking. 

Or else If I want to keep it same setup as Some are VRRP and Some are Routed and Redistributed to OSPF , with the connectivity shown will it work  ?

Labels
Preview file
96 KB
0 Kudos
6 Replies
Timothy_Hall
Legend Legend
Legend
‎2022-01-20 06:41 AM

If you are employing VRRP to to perform Load Sharing (not balancing) between the members I'd say you'd be better off using the new Active-Active (NOT Load Sharing Unicast/Multicast) mode of ClusterXL introduced in R80.40.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
subrun_jamil
Contributor
‎2022-01-25 05:50 AM
In response to Timothy_Hall

@Timothy_Hall Thanks for your reply.

My question is if you look at P1 Interface ( Bigger Subnet routed over P2P Sub Interfaces ) and P2 Has Connected Subnets. 

In this scenario, Can I do Clustering ? 

If it does not I can only try VRRP for connected subnets. 

What's the difference between Load Sharing and  balancing ?

Are you able to see the diagram i attached. ?

 

 

Logical_Current.jpg

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-01-25 06:33 AM
In response to subrun_jamil

If not all interfaces are clusterable I would move VRRP to the switches instead and use dynamic routing.

Routers / L3-switches likely have better integration between VRRP and dynamic routing protocols for particular route advertisement & failure scenarios.

CCSM R77/R80/ELITE
0 Kudos
subrun_jamil
Contributor
‎2022-01-26 11:57 AM
In response to Chris_Atkinson

If I move Networks to switch firewall filtering will not be possible right. thats why did not wanted to move vrrp to switches. What you think ?

0 Kudos
subrun_jamil
Contributor
‎2022-01-26 12:11 PM
In response to subrun_jamil

And I should clarify that 2 FW are not at same site at 2 diff site in that case clustering does make sense ? on a shared WAN circuit ?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-01-26 02:33 PM
In response to subrun_jamil

Apologies for not explaining fully.

You would likely also need to leverage VRFs here to seperate the VLANs at Layer-3 and force traffic via a transit interface to the FW to enforce inter-vlan segmentation, this may require a different/new license on some switch platforms.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events