Thursday, July 21, 2011

CLusterXL or Nokia VRRP ? Which one should I use ? What is the difference?

You can use Nokia VRRP or Nokia Clustering or Checkpoint ClusterXL.

ClusterXL requires licence.
ClusterXL is for SPLAT/Linux/UNIX ONLY.

With the Nokias you dont have to use ClusterXL just VRRP or IP Clustering.
If you use Nokia VRRP you can have HA but the other box will act as HOT/STANDBY i.e ACTIVE/PASSIVE
.
If you use Nokia cluster then you can configure the boxes in Active-Active or Active-Passive mode.
On the Nokia's you are only using ClusterXL for the Check Point synchronization NOT for the actual FAILOVER information.

with Nokia Active/active clustering, you will need two state networks. One for Checkpoint state (fw) and one for Nokia state (ipso). It is not recommended to use the same network for both states.

With Nokia's you should not tick ClusterXL. You should configure under 3rd Party and select Nokia VRRP is if you want an active-passive or IPSO Clustering if running IPSO Cluster and an active-active environment.

Do not use a crossover cable between the two firewalls for state networks. If one firewall goes down the other will see that interface go down and they both try to leave the cluster.

If you have a Cisco switch between the firewalls using Vlans, make sure multicast is TURNED ON on the switch.  You can switch the Checkpoint state network to broadcast but not the Nokia state network. some Cisco switches would not listen to a gratuitous ARP from a VIP address.A simple static ARP entry i.e. MAC address of the firewalls VIP in to the switch ARP table will do the trick.

Check this link goo.gl/eua2R for CISCO swithes + multicast issues.

You setup the Nokia state network in Cluster voyager. You setup the checkpoint state network in smart dashboard.

(I think It is possible that IPSO 4.X allows you to switch from the default multicast to broadcast on the Nokia state network.) to be verfied.

No comments:

Post a Comment