Nick.Kassel at charles-stanley
Sep 12, 2007, 2:36 AM
Post #3 of 3
(375 views)
Permalink
|
|
Re: Nokia Firewall Clustering on 6500 Cisco Switches
[In reply to]
|
|
Many thanks for your reply Joel, we will have to see if this is
possible.
-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder [at] Opus1]
Sent: 11 September 2007 02:29
To: Nick Kassel
Cc: cisco-nsp [at] puck; Abdus Hamid; Darren Holden
Subject: Re: [c-nsp] Nokia Firewall Clustering on 6500 Cisco Switches
Well, here's the best advice I can offer...
Nokia clusters have three modes of operation: multicast, unicast, and
forwarding.
Forwarding is considered to be the most compatible mode, and no switch
should be having trouble with that. With forwarding mode, the cluster
elects a master to receive the traffic using a normal unicast MAC
address, and the master passes traffic to other cluster members using a
private link (hopefully) to handle the load balancing. You get a nice
scalability there, so long as the path between the cluster nodes is not
congested. Given a 1Gb link up, there's only so far you can scale.
The other two modes, unicast & multicast, all depend on a MAC address
that is either on multiple ports (unicast) or is multicast (multicast)
and those generally will require some manual locking down of the
forwarding database. You get better performance with unicast if you
need it, but because of the relative speed of things, you will probably
never need to jump from forwarding mode.
However... you are running really, really old hardware (IP530) and
really old software (R61), which leads me to wonder if you're not
finding some old IPSO clustering bug. I don't know if you've loaded
IPSO 4.2 or are running something much older, but you should be up to
rev on that.
Note that the IPSO clustering is completely separate from NGX load
balancing in terms of configuration and setup, so you should be able to
have a stable IPSO cluster (using Voyager) before you even bring NGX
into the picture.
If the cluster is, indeed, stable (try some basic tests to see), then
you may not have NGX properly linked in. I just did some tests using
NGX R65 and it was very solid (although I saw some load balancing
problems related to NAT).
I would suggest you get 4.2 IPSO and NGX R65 and this should work like a
champ on any Cisco switch in forwarding mode. Three weeks ago, I just
tore down a Nokia Cryptocluster that has been on a 2924 for about 7
years and it was rock solid with completely stock configuration.
jms
Nick Kassel wrote:
> We have a new Cisco network in test which is using layer 3 routed
access
> design all switches are 6509, we are currently trying to test Nokia
> Firewall clustering using IP forwarding. Does anyone have any
experience
> of this as we are currently having issues with the cluster. Our
firewall
> team seem to think that this may be an issue on the switches, as this
> previously worked fine on our old Nortel environment. On each firewall
> when running the cphaprob state command only the local firewall is
shown
> and not both cluster nodes however on the voyager GUI the cluster is
> showing both nodes correctly.
>
> We have disabled IGMP snooping as recommended from another forum and
> this helped to display both nodes in voyager but not on the individual
> firewalls.
>
> Firewall setup consists of 2 x Nokia IP 530 running Checkpoint NGX R61
> with 4 physical network ports with vlans.
>
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms [at] Opus1 http://www.opus1.com/jms
********************SAVE PAPER - THINK BEFORE YOU PRINT**************************************************
The information contained in this e-mail is strictly confidential, some or all of which may be legally privileged.
Access to this e-mail by any person other than the recipient is prohibited. If you have received this message in
error, any use, disclosure, copying, printing, distribution of, replying to or any action taken or omitted to be
taken in reliance on this e-mail, is prohibited. Please advise the sender immediately should this e-mail have been
incorrectly addressed or transmitted, and then delete the email and any attachment sent with it from your computer.
You are advised that urgent, time sensitive and confidential communications should not be sent by e-mail. You
accept that any instructions are deemed to have been given at the time the recipient(s) accesses them and that
delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).
You acknowledge that e-mails are not secure and you accept the risk of malfunction, viruses, unauthorised
interference, mis-delivery or delay. Charles Stanley reserves the right to monitor and/or record emails sent and
received via its network for any lawful business purpose in accordance with applicable law and regulations.
*******************************************************************************************************
Charles Stanley & Co. Ltd
Registered Office: 25 Luke Street London EC2A 4AR
Tel: 0207 739 8200 Fax: 0207 739 7798
Registered in England No. 1903304
Charles Stanley Sutherlands and Charles Stanley Securities are divisions of Charles Stanley & Co. Ltd
Authorised and Regulated by the Financial Services Authority, Member of the London Stock Exchange, The
International Capital Market Association and The London International Financial Futures & Options Exchange.
This footnote also confirms that this email message has been swept by McAfee VirusScan and SurfControl Email
Filter software.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
|
