Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Gabriel needs help setting VRRPwith fw1 Synchronization

To: "gf b" <[email protected]>
Subject: Re: [FW1] Gabriel needs help setting VRRPwith fw1 Synchronization
From: [email protected]
Date: Mon, 9 Apr 2001 12:14:37 -0500
Cc: [email protected]
Sender: [email protected]



Gabriel:

     We have a couple of Nokia IP650s running IPSO3.3 and FW-1 4.1SP3 in a HA
environment and they work great. We are using VRRP Monitored Circuit on all
interfaces directly connection to the Nokia's.

     Basically what you have is that each Nokia does indeed have a physically
different IP on each interface. And each "set" of IP's has a VRRP address. You
have all of your routers/hosts/whatever point to the Virtual address. Note that
in the following example I am using classless IPs where in your case you would
use real IPs.

     Nokia-A's external interface is set to 10.0.0.2/24, Nokia-B's external
interface is set to 10.0.0.3/24, the VRRP address is set to 10.0.0.1. Say for
example that you have an Internet Gateway router (the device that is directly
connected to your T1 or whatever connection you have out to the Internet, it's
route into your internal network would point to 10.0.0.1.

     Every VRRP address can be used in this way.

     Another example is that if you set up a DMZ on your FWs. You would connect
each FW to say a switch/hub. Nokia-A's DMZ interface is set to 192.168.1.2/24,
Nokia'Bs DMZ address is set 192.168.1.3/24 and the VRRP is set to 192.168.1.1.
Each server/client that you connect directly to the DMZ switch would have a
default gateway of 192.168.1.1.

     In this way using the above example your routers/server-clients would never
know that the FWs failed over. The entry that either your routers or servers
would have in their arp tables is the MAC address of the VRRP. Your users that
were connected to say one of the machines in the DMZ from the inside (or
anywhere) might notice a delay (if they are doing something at the time) of a
delay of as little as 3 seconds while the FWs fail-over.

     Hope that this helps. If you would like to discuss this topic a little more
off-line you can email me direct at [email protected]. Hope the above clears
things up a little for you. Good luck.


|--------+----------------------->
|        |          "gf b"       |
|        |          <gfbpublic@ho|
|        |          tmail.com>   |
|        |                       |
|        |          04/06/2001   |
|        |          12:12 PM     |
|        |                       |
|--------+----------------------->
  >----------------------------------------------------------------------------|
  |                                                                            |
  |       To:     [email protected]                 |
  |       cc:     [email protected], (bcc: James E  |
  |       Clukey/Rush/RSH)                                                     |
  |       Subject:     [FW1] Gabriel needs help setting VRRPwith fw1           |
  |       Synchronization                                                      |
  >----------------------------------------------------------------------------|






Hi All,

Has anyone set up two Nokia IP650s with VRRP for high availability?
I'm a bit confused as to how to set it up the best way.

I presumed it is set up by assigning a single, shared external IP (1 default
external gateway, assigning a single, shared internal IP (1 default internal
gateway) and a unique ip on each fw so that the management station can
administer each box. You can then configure Synchronization on the fws to
keep rules and objects up to date.

But, after looking at an official Nokia IP650 support doc, it recommended
the following VRRP scenario:
The primary fw and secondary fw have unique external and internal IPs.
Should the primary fw die, the secondary will assume the ip of the primary
fw.
You could also have a scenario where both fws backup each other and network
objects and all traffic is split equally between them. This method surely
creates additional administration and configuration overhead.

So, does anyone have a recommended approach to setting up VRRP between two
fw 4.1s SP3, and do you recommend combining this with Check Point High
Availabilty module with Synchronization??

Thank you kindly,

Gabriel
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] what is "route" service
Next by Date: RE: [FW1] Inbound, Outbound, Eitherbound
Previous by thread: RE: [FW1] Gabriel needs help setting VRRPwith fw1 Synchronization
Next by thread: [FW1] port 110 to Internal mail server through DMZ
Index(es):
- Date
- Thread