This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Enyi_Ajoku
Collaborator
‎2019-04-10 06:13 AM

VSX and VXLAN LAN Extension

Hello Everyone,

I would greatly appreciate your response and time in trying to provide information with regards to my post.

Is anyone familiar with this architectural deployment:

Site A and Site B: Different Geographic Locations

Switches: Nexus

Architecture: VXLAN, LAN Extension

Firewall: CheckPoint

Architecture: VSX

Firewall: One cluster with four members (2 members in Site A and 2 members in Site B)

Switches: 4 nexus switches (2 in site A and 2 in site B). VXLAN LAN Extension.

Layer 3: BGP between Cluster and Nexuses

Layer 2: Vlans between Cluster and Nexuses

0 Kudos
10 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-04-10 06:21 AM

I would suggest to either comission CP Professional Services or a partner with similar level expertise ! I would not assume that some tipps from  CheckMates could successfully guide you thru what you want to achieve (you did not write what you intend to understand or do with that complicated deployment). Or are you CCSE / CCSM certified yourself ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Nick_Doropoulos
Advisor
‎2019-04-10 06:35 AM

Hi Enyi,

Could you be more specific with your question please? At this point we are just looking at random components I believe so if you could specify what it is you need help with it would be great.

0 Kudos
Enyi_Ajoku
Collaborator
‎2019-04-10 08:37 AM
In response to Nick_Doropoulos

You're right but my thought process was if anyone has such deployment would have an understanding of the concept. So this is my issue here:

Site A is my primary build, I have SIC trust established between members in Site A and Site B

Members in Site A and Site B are joined and communicating with the Management Station.

I have BGP configured and established between the members and nexus in Site A but not with the nexus in Site B

A ping test to the nexus in Site B give a destination unreachable result and the same thing when i do test to Site A from members in Site B

I also wanted to add that when i do a cphaprob stat i get the following: active, standby, down, down

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-10 11:47 PM
In response to Enyi_Ajoku

I'm not familiar with VXLAN but in these type of cases most of the problems are caused by VLAN's not being streched. You need to have all VLAN's available on both sites on all 4 nodes for this to work properly. Normally on each interface only the highest and the lowest VLAN is monitored, however with VSX in VSLS mode - all VLANs are monitored by default.
Regards, Maarten
Enyi_Ajoku
Collaborator
‎2019-04-22 12:53 PM
In response to Maarten_Sjouw

You're so correct, made some changes to the vlan, stretched the vlan and it all came up.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-10 07:53 PM

A network diagram would be helpful.
0 Kudos
Michael_VI
Explorer
‎2020-07-10 03:09 AM
In response to PhoneBoy

Hi everyone, 

 

I have the same question we have also Vxlan between the sites.

but with Juniper networking instead of Cisco.

We have also a VSX firewall.

or main goal is not to stretch VLANS because of L2 loops and risks. Every company is moving away from L2 stretched vlans when possible.

 

So very short: Vxlan is routing the Layer 2 packets.

It means that a server S1-X-A  in Vlan X on site A will reach another server S2-X-B (Server2 vlan X site B) over the Vxlan routed.

the case:

S1-X-A wants to reach S3-Y-A will do this via FW-A and the answer back will go over FW-A

But if 

S1-X-A wants toreach S4-Y-B the traffic will go over FW-A and the answer will go over FW-B.

So the main question is how can FW-A and FW-B sync the session to allow this ?

(Knowing that the Sync between FW-A and FW-B can be l2 otherwise no cluster of course)

Cisco ASA firewalls are handeling this via Context and allowing async routing. So if those ugly and basic firewalls are able to do this, it should be good that checkpoint could perform also those actions ?

Because Checkpoint is a software company a lot of his technology has not designed from the routing ideology of today. 
all the other vendors are coming with their products from a network perspective. (dynamic routing, lldp, etc...)

So anyone, does it have an idea how I can include the VSX firewalls or other ones (checkpoint) in this type of design ?

We are also looking at it with PS in parallel (since a few months)

 

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-10 08:15 PM
In response to Michael_VI

Asynchronous routing works great for routing, not so great for security.
In R81, you'll be able to terminate VXLAN, which might help in this situation.
0 Kudos
Magnus-Holmberg
MVP Silver
MVP Silver
‎2020-07-11 12:10 AM
In response to Michael_VI

For none VSX an Active / Active is possible.

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ClusterXL_AdminGuide/Content...


VXLAN sure you can run that over an overlay network like mp-bgp evpn such. then you "streach vlan" but have alot more control over it and seen from endpoints, in this case check point side it will be as streaching a VLAN in 2 sites with full L2 connectivity.
The end port connected to the CP will still be a normal VLAN and VSX works just fine on that.

 

When it comes to redundancy within Datacenters its very often you are actually limited to what the applications can do.
Dose the application need full Layer2 between sites to be able to do some failover or do they actually manage to have real redundancy over what in public cloud would be regions.
In our cases for legacy platforms it more or less ends up in that the applications requires same VLAN to use cluster functionalitets for databases.
So even if the frontend can manage to be fully redundantant over L3 the backend can be more difficult.

Regards
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Enyi_Ajoku
Collaborator
‎2020-07-20 06:25 AM
In response to Michael_VI

  1. Is site A and Site B one cluster or separate clusters?
  2. Per the information you provided can I assume that vlan X and vlan Y resides in both Site A and Site B on the VXLAN infrastructure?
  3. Can I assume that you have L3 routing between the firewall and switches?

"S1-X-A wants to reach S4-Y-B the traffic will go over FW-A and the answer will go over FW-B."   It doesn't work this way if you have one cluster, you are definitely going to having asymmetric routing if you are seeing this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events