Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PIAndre
Explorer

Firewall cluster interface design question

Jump to solution

Hi.  Ive got the opportunity to replace an old existing appliance cluster with another new appliance cluster (way faster hardware).  The old cluster has a configuration that looks like this:

 

fw1

bond1 on switch 1 -> internal vlans, cluster sync vlans

bond2 on switch 1 -> external vlans/interfaces

 

fw2

bond1 on switch 2 -> internal vlans, cluster sync vlans

bond2 on switch 2 -> external vlans/interfaces

 

Performance has been fine and we dont come close to saturating a gig.  The load on this cluster is low and the projected growth of the traffic in the next few years is low as well.  Anyone have suggestions on a different design or am I good?

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee
Employee

Different design would depend partly on the switch capabilities, are they fully independent or clustered / stacked in some way?

Most importantly it comes down to requirements... maybe Sync / DMZ on separate ports etc but would depend on hardware constraints.

View solution in original post

0 Kudos
5 Replies
Chris_Atkinson
Employee
Employee

Different design would depend partly on the switch capabilities, are they fully independent or clustered / stacked in some way?

Most importantly it comes down to requirements... maybe Sync / DMZ on separate ports etc but would depend on hardware constraints.

0 Kudos
PIAndre
Explorer

Its a modern switch stack.  If there arent any issues with how the old cluster is configured I guess Ill continue to do the same thing.

0 Kudos
Chris_Atkinson
Employee
Employee

Do you want things deterministic i.e. switch 1 fails then firewall 1 fails ? 

Otherwise some might mesh the bond slaves to try and protect against switch failure.

0 Kudos
Vladimir
Champion
Champion

So long as you are using multiple bonds in a cluster, I'd recommend keeping Sync on a separate one, if there are ports available on a switch stack to accommodate it. That said, I am prone to over-engineering for redundancy to cover even for low-probability events.

0 Kudos
S_E_
Advisor

fully agree, also our preferred setup:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/W...

 

 

fw1

bond1 on switch 1 -> internal vlans

bond2 on switch 1 -> external vlans/interfaces

bond3 -> cluster sync vlan

 

fw2

bond1 on switch 2 -> internal vlans

bond2 on switch 2 -> external vlans/interfaces

bond3 -> cluster sync vlan

 

Best regards

0 Kudos