cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
ndcosta
Ivory

Geo Active-active Datacenter firewall architecture

Jump to solution

Hi guys,

 

We are checkpoint costumer. Currently we have two VSX clusters in two geographic locations with production and disaster recovery site.

In near future we will change this to active-active architecture streching the network in both geographies using Cisco ACI with VxLAN.

Can you please advise us with the best scenario for firewall?

Do we need two clusters?

Can we have firewall instance in both geographies for the same networking "zone".

 

 

Regards,

Nuno

2 Solutions

Accepted Solutions

Re: Geo Active-active Datacenter firewall architecture

Jump to solution

If you are using a VSX Cluster with gateways at two locations, you must comply with the following ClusterXL parameters:

- maximum sync / CCP packet delay: 100 ms

- maximum sync / CCP packet lost: 0.2%

- Layer 2 connection between the locations

More read here:

ATRG: ClusterXL

Tags (1)
Wolfgang
Silver

Re: Geo Active-active Datacenter firewall architecture

Jump to solution

Nuno,

please note the requirements mentioned by Heiko.

If you can use VSLS ( Virtual System Load Sharing) with your VSX you can build a VSX cluster with 4 nodes, two in every location. With VSLS you can distribute your virtual system beetween all nodes. As an example you have 4 VS, you can run one VS on every node in your VSX-cluster.

VSLS can't be used if you are using a virtual-router in your environment.

best regards

Wolfgang

3 Replies

Re: Geo Active-active Datacenter firewall architecture

Jump to solution

If you are using a VSX Cluster with gateways at two locations, you must comply with the following ClusterXL parameters:

- maximum sync / CCP packet delay: 100 ms

- maximum sync / CCP packet lost: 0.2%

- Layer 2 connection between the locations

More read here:

ATRG: ClusterXL

Tags (1)
Wolfgang
Silver

Re: Geo Active-active Datacenter firewall architecture

Jump to solution

Nuno,

please note the requirements mentioned by Heiko.

If you can use VSLS ( Virtual System Load Sharing) with your VSX you can build a VSX cluster with 4 nodes, two in every location. With VSLS you can distribute your virtual system beetween all nodes. As an example you have 4 VS, you can run one VS on every node in your VSX-cluster.

VSLS can't be used if you are using a virtual-router in your environment.

best regards

Wolfgang

ndcosta
Ivory

Re: Geo Active-active Datacenter firewall architecture

Jump to solution
Hi everyone, Thank you for sharing your knowledge! Regarding the number os nodes, do we have limitations for VSLS Cluster? Can we have dynamic routing active with this scenario? best regards, Nuno
0 Kudos