[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Gabriel needs help setting VRRPwith fw1 Synchronization
Gabriel, What James explains is the VRRP Monitored Circuits, what you are talking about is the VRRP v2 ... an older version I think of VRRP, I think Monitored Circuits is better. Resolution 1214 on the Nokia Support site explains this in more details Met vriendelijke groeten - Bien à vous - Kind regards Guy ROELANDTS EMEA CS Internet Expertise Centre Compaq Software Engineer - Belgium E-mail : [email protected] Tel: +32(02)729.77.44 (options 3 - 3 - 1) Fax: +32(02)729.77.65 -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Monday, April 09, 2001 7:15 PM To: gf b Cc: [email protected] Subject: Re: [FW1] Gabriel needs help setting VRRPwith fw1 Synchronization Gabriel: We have a couple of Nokia IP650s running IPSO3.3 and FW-1 4.1SP3 in a HA environment and they work great. We are using VRRP Monitored Circuit on all interfaces directly connection to the Nokia's. Basically what you have is that each Nokia does indeed have a physically different IP on each interface. And each "set" of IP's has a VRRP address. You have all of your routers/hosts/whatever point to the Virtual address. Note that in the following example I am using classless IPs where in your case you would use real IPs. Nokia-A's external interface is set to 10.0.0.2/24, Nokia-B's external interface is set to 10.0.0.3/24, the VRRP address is set to 10.0.0.1. Say for example that you have an Internet Gateway router (the device that is directly connected to your T1 or whatever connection you have out to the Internet, it's route into your internal network would point to 10.0.0.1. Every VRRP address can be used in this way. Another example is that if you set up a DMZ on your FWs. You would connect each FW to say a switch/hub. Nokia-A's DMZ interface is set to 192.168.1.2/24, Nokia'Bs DMZ address is set 192.168.1.3/24 and the VRRP is set to 192.168.1.1. Each server/client that you connect directly to the DMZ switch would have a default gateway of 192.168.1.1. In this way using the above example your routers/server-clients would never know that the FWs failed over. The entry that either your routers or servers would have in their arp tables is the MAC address of the VRRP. Your users that were connected to say one of the machines in the DMZ from the inside (or anywhere) might notice a delay (if they are doing something at the time) of a delay of as little as 3 seconds while the FWs fail-over. Hope that this helps. If you would like to discuss this topic a little more off-line you can email me direct at [email protected]. Hope the above clears things up a little for you. Good luck. |--------+-----------------------> | | "gf b" | | | <gfbpublic@ho| | | tmail.com> | | | | | | 04/06/2001 | | | 12:12 PM | | | | |--------+-----------------------> >--------------------------------------------------------------------------- -| | | | To: [email protected] | | cc: [email protected], (bcc: James E | | Clukey/Rush/RSH) | | Subject: [FW1] Gabriel needs help setting VRRPwith fw1 | | Synchronization | >--------------------------------------------------------------------------- -| Hi All, Has anyone set up two Nokia IP650s with VRRP for high availability? I'm a bit confused as to how to set it up the best way. I presumed it is set up by assigning a single, shared external IP (1 default external gateway, assigning a single, shared internal IP (1 default internal gateway) and a unique ip on each fw so that the management station can administer each box. You can then configure Synchronization on the fws to keep rules and objects up to date. But, after looking at an official Nokia IP650 support doc, it recommended the following VRRP scenario: The primary fw and secondary fw have unique external and internal IPs. Should the primary fw die, the secondary will assume the ip of the primary fw. You could also have a scenario where both fws backup each other and network objects and all traffic is split equally between them. This method surely creates additional administration and configuration overhead. So, does anyone have a recommended approach to setting up VRRP between two fw 4.1s SP3, and do you recommend combining this with Check Point High Availabilty module with Synchronization?? Thank you kindly, Gabriel _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|