Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Enyi_Ajoku
Collaborator

VSX and VXLAN LAN Extension

Hello Everyone,

I would greatly appreciate your response and time in trying to provide information with regards to my post.

Is anyone familiar with this architectural deployment:

Site A and Site B: Different Geographic Locations

Switches: Nexus

Architecture: VXLAN, LAN Extension

Firewall: CheckPoint

Architecture: VSX

Firewall: One cluster with four members (2 members in Site A and 2 members in Site B)

Switches: 4 nexus switches (2 in site A and 2 in site B). VXLAN LAN Extension.

Layer 3: BGP between Cluster and Nexuses

Layer 2: Vlans between Cluster and Nexuses

0 Kudos
10 Replies
G_W_Albrecht
Legend
Legend

I would suggest to either comission CP Professional Services or a partner with similar level expertise ! I would not assume that some tipps from  CheckMates could successfully guide you thru what you want to achieve (you did not write what you intend to understand or do with that complicated deployment). Or are you CCSE / CCSM certified yourself ?

0 Kudos
Nick_Doropoulos
Advisor

Hi Enyi,

Could you be more specific with your question please? At this point we are just looking at random components I believe so if you could specify what it is you need help with it would be great.

0 Kudos
Enyi_Ajoku
Collaborator

You're right but my thought process was if anyone has such deployment would have an understanding of the concept. So this is my issue here:

Site A is my primary build, I have SIC trust established between members in Site A and Site B

Members in Site A and Site B are joined and communicating with the Management Station.

I have BGP configured and established between the members and nexus in Site A but not with the nexus in Site B

A ping test to the nexus in Site B give a destination unreachable result and the same thing when i do test to Site A from members in Site B

I also wanted to add that when i do a cphaprob stat i get the following: active, standby, down, down

0 Kudos
Maarten_Sjouw
Champion
Champion

I'm not familiar with VXLAN but in these type of cases most of the problems are caused by VLAN's not being streched. You need to have all VLAN's available on both sites on all 4 nodes for this to work properly. Normally on each interface only the highest and the lowest VLAN is monitored, however with VSX in VSLS mode - all VLANs are monitored by default.
Regards, Maarten
Enyi_Ajoku
Collaborator

You're so correct, made some changes to the vlan, stretched the vlan and it all came up.

 

0 Kudos
PhoneBoy
Admin
Admin

A network diagram would be helpful.
0 Kudos
Michael_VI
Explorer

Hi everyone, 

 

I have the same question we have also Vxlan between the sites.

but with Juniper networking instead of Cisco.

We have also a VSX firewall.

or main goal is not to stretch VLANS because of L2 loops and risks. Every company is moving away from L2 stretched vlans when possible.

 

So very short: Vxlan is routing the Layer 2 packets.

It means that a server S1-X-A  in Vlan X on site A will reach another server S2-X-B (Server2 vlan X site B) over the Vxlan routed.

the case:

S1-X-A wants to reach S3-Y-A will do this via FW-A and the answer back will go over FW-A

But if 

S1-X-A wants toreach S4-Y-B the traffic will go over FW-A and the answer will go over FW-B.

So the main question is how can FW-A and FW-B sync the session to allow this ?

(Knowing that the Sync between FW-A and FW-B can be l2 otherwise no cluster of course)

Cisco ASA firewalls are handeling this via Context and allowing async routing. So if those ugly and basic firewalls are able to do this, it should be good that checkpoint could perform also those actions ?

Because Checkpoint is a software company a lot of his technology has not designed from the routing ideology of today. 
all the other vendors are coming with their products from a network perspective. (dynamic routing, lldp, etc...)

So anyone, does it have an idea how I can include the VSX firewalls or other ones (checkpoint) in this type of design ?

We are also looking at it with PS in parallel (since a few months)

 

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin

Asynchronous routing works great for routing, not so great for security.
In R81, you'll be able to terminate VXLAN, which might help in this situation.
0 Kudos
Magnus-Holmberg
Advisor

For none VSX an Active / Active is possible.

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ClusterXL_AdminGuide/Content...


VXLAN sure you can run that over an overlay network like mp-bgp evpn such. then you "streach vlan" but have alot more control over it and seen from endpoints, in this case check point side it will be as streaching a VLAN in 2 sites with full L2 connectivity.
The end port connected to the CP will still be a normal VLAN and VSX works just fine on that.

 

When it comes to redundancy within Datacenters its very often you are actually limited to what the applications can do.
Dose the application need full Layer2 between sites to be able to do some failover or do they actually manage to have real redundancy over what in public cloud would be regions.
In our cases for legacy platforms it more or less ends up in that the applications requires same VLAN to use cluster functionalitets for databases.
So even if the frontend can manage to be fully redundantant over L3 the backend can be more difficult.

Regards
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Enyi_Ajoku
Collaborator

  1. Is site A and Site B one cluster or separate clusters?
  2. Per the information you provided can I assume that vlan X and vlan Y resides in both Site A and Site B on the VXLAN infrastructure?
  3. Can I assume that you have L3 routing between the firewall and switches?

"S1-X-A wants to reach S4-Y-B the traffic will go over FW-A and the answer will go over FW-B."   It doesn't work this way if you have one cluster, you are definitely going to having asymmetric routing if you are seeing this.

0 Kudos