VSX Clustering Active Configuration IPSO 5

8/3/2019 VSX Clustering Active Configuration IPSO 5

http://slidepdf.com/reader/full/vsx-clustering-active-configuration-ipso-5 1/11

Copyright © 2009 Check Point Software Technologies, Ltd. All rights reserved 1

Configuring a Cluster in IPSO 5 with Both

Members in Active Mode

In This Document

Configuring a VSX Cluster MemberPerform the following steps on the gateway of each cluster member that you want to make active:

1. Prepare the Nokia IP Security platform by installing the IPSO and VSX packages.

2. Run vsx_config and answer the questions below as follows:

a. Do you want to create Link Aggregated interfaces (y/n) [y]? Answer Yes only if you want touse LAG for sync interface.

b. Do you wish to create a new LAG group (y/n) [y]? Answer Yes. Choose the interfaces you

want to use for LAG sync.

c. Is this VSX gateway part of a cluster (y/n) [y]? Answer Yes.

d. Are you sure you want to configure clustering on the system (y/n) [y]? Answer Yes. Choose

the LAG interface for the sync (if you created it before)

e. Do you wish to setup VRRP now (y/n) [y]? Answer No.

f. Would you like to install a Check Point clustering product (CPHA or State

Synchronization)? (y/n) [n]? Answer Yes3. Using Nokia Network Voyager, go to Configuration >High Availability >VRRP. Select Enabled on

both Accept connection on VRRP IPs, and Monitor Firewall State.screenshot

Configuring a VSX Cluster Member page 1

Configuring the Link Aggregation Group (LAG) page 5

Active Active Mode VRRP Configuration page 6

Known Limitations & Troubleshooting page 10

Documentation Feedback page 11



Configuring a VSX Cluster Member

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 2

4. Go to Legacy >VRRP Configuration. Select Monitored Circuit for the MVS interface, (in our

example eth-s5p1).screenshot

5. Type a VRID for that interface. (It should be same on both members). Click Apply.

6. Type a backup address (the same for both members) and Priority as 100 in master and 95 in

slave.**Do not select any interface for Monitor Interface. Click Apply.screenshot

7. Create the VSX cluster object by using Provider-1 Multi-Domain Client (or) Smart Dashboardfor Smart Center Server (SMC).screenshot

8. Enter the VSX Cluster Name, MVS Cluster IP Address, Version, and Platform.screenshot





9. In the Virtual Systems Creation Templates screen, select Custom Configuration.screenshot

10. Establish SIC between the two Cluster Members.screenshot

11. Do not select any interface as a VLAN Trunk now – it will be done on vsx_object properties after

enabling VRRP on the desired trunk interfaces.screenshot





12. Select the Synchronization interface from the list.screenshot

13. Select the sources and services you want to install on the first policy installation.screenshot

14. Do NOT select “Create Virtual Network Device”. Click Nextscreenshot

15. Click Next and then Finish.



Configuring the Link Aggregation Group (LAG)


Configuring the Link Aggregation Group (LAG)Perform the following steps on Voyager web interface of each cluster member that you want to

make active:

1. Log in to Voyager

2. Select Interface Configuration >Link Aggregation.3. Type a Group ID for the LAG interface between 1 and 1024, for example, 10 in our setup. Click

Apply.screenshot

4. Select which interface you want to aggregate, for example, eth-s1p1-2 in our setup. Click

Apply.screenshot

5. It is preferred to create the two interfaces of the Bridge mode Virtual System on different

slots. Interfaces that will participate in one LAG must be on the same slotscreenshot

Cisco Catalyst Switch Commands

The following are examples of commands you may need when using a Cisco Catalyst Switch:

To configure ether-channel in Cisco Catalyst switch:

To configure a load-balancing algorithm on a Cisco Switch:

(config)#interface gigabitEthernet 1/4

(config-if)#channel-group 1 mode on

(config)#port-channel load-balance src-dst-ip



Active Active Mode VRRP Configuration


If you are using a single VLAN on port-channel:

If you are using trunk on Port-channel:

Active Active Mode VRRP Configuration• In this mode every interface should be in VRRP configuration (Trunk, No Trunk, and Physical).

• Before manually configuring any interface as VRRP monitored, you have to define an IP

Address on the desired interface.

• After the configuration is set for the first time, the IP addresses on the trunk interfaces changeto funny net IPs

• The non trunk interfaces’ IP Addresses will disappear from the interfaces after creating VSB

on them. VRRP configuration will be on the Virtual System page and not on main VRRP page.

• Before selecting an interface as a Vlan Trunk, you must enable VRRP on it.

• Virtual Routers and Virtual Switches are not supported in Active Active mode.

Configuring IP Addresses and Enabling VRRP monitor on the

LAG interfaces

Perform the following steps within the Voyager web interface:

1. In Voyager, go to Interface Configuration >Interfaces.

2. Click on the Logical interface and give it a unique IP address by selecting Mask Length >Apply

(This IP address will be changed automatically (if it is a trunk) or disappear (if it is not a

trunk) after clicking configuration for the first time).

(config)#interface Port-channel1

(config-if)#no ip address

(config-if)#switchport access vlan 2

(config)#interface Port-channel 1(config-if)#no ip address

(config-if)#switchport trunk encapsulation dot1q

(config-if)#switchport trunk allowed vlan 2

(config-if)switchport mode trunk





3. For the other member, assign a different IP from the same subnet (for example, 15.15.15.2 in

our setup).

4. Select High Availability >VRRP.

5. Select Monitored Circuit for the interfaces oon which you want to enable VRRP.

6. Assign a VRID for that interface, It should be the same on both members and different from

the MVS (sequential in our setup 60...61….62).

7. Assign a backup address (the same for both members).





8. Set the priority as 100/95 on each member according to the interface distribution.

9. Remove the physical interfaces you used for creating the LAGs from the VSX_object properties,

and add the new LAG interfaces to the interface list. Select them as Vlan trunks if required.

10. After asigning the configuration to the vsx_object, the IP Addresses on the trunk interfaces will

change to funny IP Addresses.

Note - All interfaces configured on the same Virtual System MUST be set with the same priority.

Every interface should monitor the other interfaces that exist on the same Virtual System.





Creating a Virtual System in Bridge Mode

1. Create new Virtual System by selecting the VSX Nokia Server >New Virtual System.

2. Give the Virtual System a name and select Bridge mode.

3. Add the interfaces for incoming traffic and outgoing traffic. Assign a unique subnet for theVirtual System VRRP configuration.



Known Limitations & Troubleshooting


System Definition

1. Within Voyager, go to Virtual System tab and examine the specific VS configuration.

2. Go to Interfaces list and see the funny IPs that redistribute to the trunk interfaces.

Known Limitations & Troubleshooting• Limitation: Effective VRRP priority is decreased with every Virtual System created.

Solution: Manually remove the vlan interfaces from VRRP configuration. It’s enough to monitor

the physical interface. Note: This change is not saved after reboot.

• Limitation: When defining more than one Virtual System that the interfaces of the other VirtualSystems are automatically configured as monitor interface for the all other Virtual Systems.

This will cause failover to all interfaces when only one interface fails.

Solution: Manually remove the interfaces that belong to other Virtual Systems from the monitor

circuit interface. Note: Manually editing this configuration is not saved after reboot.

• Limitation: Virtual System creation fails with error ‘Interfaces cannot be set.

Solution: Enable VRRP monitor on the interfaces you are trying to create Virtual System on.



Documentation Feedback


• Limitation: In some cases after defining Virtual System one of its interfaces is not added as

monitored by the other interface on the VRRP configuration in Virtual System page.

Solution: Manually add the interface on the Virtual Systems tab under VRRP of the specific

Virtual System. Note: This specific edit is saved after reboot.

Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by

sending your comments to:

[email protected]

mailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback

mailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback

VSX Clustering Active Configuration IPSO 5

Documents

Transcript of VSX Clustering Active Configuration IPSO 5