Firewall Wizards mailing list archives

RE: Switch Redundancy for my firewall cluster

From: "Paul Melson" <psmelson () comcast net>
Date: Mon, 2 May 2005 17:37:05 -0400

To answer your specific questions...

A1. See below. 
   
  | sw1 | <-backplane-> | sw2 |
     ^                     ^
     |                     |
     v                     v
  | fw1 | <---sync----> | fw2 |
     ^                     ^
     |                     |
     v                     v 
  | sw4 | <-backplane-> | sw4 |


Or if you don't want to backplane the two pairs of switches, you can cross
them over with 802.1q trunk ports.  Assign a VLAN for every subnet the
firewall has an interface on, and trunk that VLAN to the other switch in the
pair (in the diagram above, sw1 and sw2 would trunk VLANs to each other,
same as sw3 and sw4).

A2. Yes.
A3. 802.1q VLAN tagging and trunking, that's how. (see above)
A4. No.  Your firewall cluster can (if you buy the right licenses) do the
load balancing for you, if you require it.  Otherwise, you'll end up with a
fail-over configuration.  Doing L4+ load-balancing with the switches will
not get you load balancing through the firewall, only on either side of it.
The firewall would still be a choke point since the same cluster member
would be handling all traffic sent to the cluster addresses.

PaulM

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Nick
Brandson
Sent: Sunday, May 01, 2005 8:03 PM
To: firewall-wizards
Subject: [fw-wiz] Switch Redundancy for my firewall cluster

Dear (Cisco) guru,

Want to elimate every single point of failure for my network topology.
Planning to have firewall cluster and switch redundancy

Environment:
* Check Point - Unlimited x2 (SecurePlatform)
* ClusterXL
* Cisco 29XX switch x 4 (two upstream & two
downstream)

Questions,
1. How the network topology looks like?
2. Do we need a delegate/physical connection from each firewall member/node
to two upstream switches and two downstream switches?
3. If so, how is it possible?  Because Check Point is running as router mode
and it means each physical ports will carry different segments and we have
to set up two different segments for each ports connecting to two upstream
switches and so do for the downstream switches in order to do the "Cross"
effect.
4. Do we need L4-7 Switch in order to do so?
as per the network diagram from Cisco
http://www.cisco.com/warp/public/117/fw_load_balancing1.gif

Any ideas will be appreciated.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Switch Redundancy for my firewall cluster Nick Brandson (May 02)
- Re: Switch Redundancy for my firewall cluster Kevin (May 02)
- RE: Switch Redundancy for my firewall cluster Paul Melson (May 02)