Copyright © 2009 Check Point Software Technologies, Ltd. All rights reserved 1

Configuring a Cluster in IPSO 5 with Both Members in Active Mode

In This Document

Configuring a VSX Cluster Member Perform the following steps on the gateway of each cluster member that you want to make active:

1. Prepare the Nokia IP Security platform by installing the IPSO and VSX packages.

2. Run vsx_config and answer the questions below as follows:

a. Do you want to create Link Aggregated interfaces (y/n) [y]? Answer Yes only if you want to use LAG for sync interface.

b. Do you wish to create a new LAG group (y/n) [y]? Answer Yes. Choose the interfaces you want to use for LAG sync.

c. Is this VSX gateway part of a cluster (y/n) [y]? Answer Yes.

d. Are you sure you want to configure clustering on the system (y/n) [y]? Answer Yes. Choose the LAG interface for the sync (if you created it before)

e. Do you wish to setup VRRP now (y/n) [y]? Answer No.

f. Would you like to install a Check Point clustering product (CPHA or State Synchronization)? (y/n) [n]? Answer Yes

3. Using Nokia Network Voyager, go to Configuration >High Availability >VRRP. Select Enabled on both Accept connection on VRRP IPs, and Monitor Firewall State.

screenshot

Configuring a VSX Cluster Member page 1

Configuring the Link Aggregation Group (LAG) page 5

Active Active Mode VRRP Configuration page 6

Known Limitations & Troubleshooting page 10

Documentation Feedback page 11

Configuring a VSX Cluster Member

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 2

4. Go to Legacy >VRRP Configuration. Select Monitored Circuit for the MVS interface, (in our example eth-s5p1).

screenshot

5. Type a VRID for that interface. (It should be same on both members). Click Apply.

6. Type a backup address (the same for both members) and Priority as 100 in master and 95 in slave.**Do not select any interface for Monitor Interface. Click Apply.

screenshot

7. Create the VSX cluster object by using Provider-1 Multi-Domain Client (or) Smart Dashboard for Smart Center Server (SMC).

screenshot

8. Enter the VSX Cluster Name, MVS Cluster IP Address, Version, and Platform. screenshot

Configuring a VSX Cluster Member

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 3

9. In the Virtual Systems Creation Templates screen, select Custom Configuration. screenshot

10. Establish SIC between the two Cluster Members. screenshot

11. Do not select any interface as a VLAN Trunk now – it will be done on vsx_object properties after enabling VRRP on the desired trunk interfaces.

screenshot

Configuring a VSX Cluster Member

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 4

12. Select the Synchronization interface from the list. screenshot

13. Select the sources and services you want to install on the first policy installation. screenshot

14. Do NOT select “Create Virtual Network Device”. Click Next screenshot

15. Click Next and then Finish.

Configuring the Link Aggregation Group (LAG)

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 5

Configuring the Link Aggregation Group (LAG)Perform the following steps on Voyager web interface of each cluster member that you want to make active:

1. Log in to Voyager

2. Select Interface Configuration >Link Aggregation.

3. Type a Group ID for the LAG interface between 1 and 1024, for example, 10 in our setup. Click Apply.

screenshot

4. Select which interface you want to aggregate, for example, eth-s1p1-2 in our setup. Click Apply.

screenshot

5. It is preferred to create the two interfaces of the Bridge mode Virtual System on different slots. Interfaces that will participate in one LAG must be on the same slot

screenshot

Cisco Catalyst Switch CommandsThe following are examples of commands you may need when using a Cisco Catalyst Switch:

To configure ether-channel in Cisco Catalyst switch:

To configure a load-balancing algorithm on a Cisco Switch:

(config)#interface gigabitEthernet 1/4 (config-if)#channel-group 1 mode on

(config)#port-channel load-balance src-dst-ip

Active Active Mode VRRP Configuration

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 6

If you are using a single VLAN on port-channel:

If you are using trunk on Port-channel:

Active Active Mode VRRP Configuration• In this mode every interface should be in VRRP configuration (Trunk, No Trunk, and Physical).

• Before manually configuring any interface as VRRP monitored, you have to define an IP Address on the desired interface.

• After the configuration is set for the first time, the IP addresses on the trunk interfaces change to funny net IPs

• The non trunk interfaces’ IP Addresses will disappear from the interfaces after creating VSB on them. VRRP configuration will be on the Virtual System page and not on main VRRP page.

• Before selecting an interface as a Vlan Trunk, you must enable VRRP on it.

• Virtual Routers and Virtual Switches are not supported in Active Active mode.

Configuring IP Addresses and Enabling VRRP monitor on the LAG interfaces

Perform the following steps within the Voyager web interface:

1. In Voyager, go to Interface Configuration >Interfaces.

2. Click on the Logical interface and give it a unique IP address by selecting Mask Length >Apply (This IP address will be changed automatically (if it is a trunk) or disappear (if it is not a trunk) after clicking configuration for the first time).

(config)#interface Port-channel1(config-if)#no ip address (config-if)#switchport access vlan 2

(config)#interface Port-channel 1(config-if)#no ip address (config-if)#switchport trunk encapsulation dot1q (config-if)#switchport trunk allowed vlan 2(config-if)switchport mode trunk

Active Active Mode VRRP Configuration

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 7

3. For the other member, assign a different IP from the same subnet (for example, 15.15.15.2 in our setup).

4. Select High Availability >VRRP.

5. Select Monitored Circuit for the interfaces oon which you want to enable VRRP.

6. Assign a VRID for that interface, It should be the same on both members and different from the MVS (sequential in our setup 60...61….62).

7. Assign a backup address (the same for both members).

Active Active Mode VRRP Configuration

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 8

8. Set the priority as 100/95 on each member according to the interface distribution.

9. Remove the physical interfaces you used for creating the LAGs from the VSX_object properties, and add the new LAG interfaces to the interface list. Select them as Vlan trunks if required.

10. After asigning the configuration to the vsx_object, the IP Addresses on the trunk interfaces will change to funny IP Addresses.

Note - All interfaces configured on the same Virtual System MUST be set with the same priority. Every interface should monitor the other interfaces that exist on the same Virtual System.

Active Active Mode VRRP Configuration

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 9

Creating a Virtual System in Bridge Mode1. Create new Virtual System by selecting the VSX Nokia Server >New Virtual System.

2. Give the Virtual System a name and select Bridge mode.

3. Add the interfaces for incoming traffic and outgoing traffic. Assign a unique subnet for the Virtual System VRRP configuration.

Known Limitations & Troubleshooting

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 10

System Definition1. Within Voyager, go to Virtual System tab and examine the specific VS configuration.

2. Go to Interfaces list and see the funny IPs that redistribute to the trunk interfaces.

Known Limitations & Troubleshooting• Limitation: Effective VRRP priority is decreased with every Virtual System created.

Solution: Manually remove the vlan interfaces from VRRP configuration. It’s enough to monitor the physical interface. Note: This change is not saved after reboot.

• Limitation: When defining more than one Virtual System that the interfaces of the other Virtual Systems are automatically configured as monitor interface for the all other Virtual Systems. This will cause failover to all interfaces when only one interface fails.

Solution: Manually remove the interfaces that belong to other Virtual Systems from the monitor circuit interface. Note: Manually editing this configuration is not saved after reboot.

• Limitation: Virtual System creation fails with error ‘Interfaces cannot be set.

Solution: Enable VRRP monitor on the interfaces you are trying to create Virtual System on.

Documentation Feedback

Configuring a Cluster in IPSO 5 with Both Members in Active Mode — May 24, 2009 11

• Limitation: In some cases after defining Virtual System one of its interfaces is not added as monitored by the other interface on the VRRP configuration in Virtual System page.

Solution: Manually add the interface on the Virtual Systems tab under VRRP of the specific Virtual System. Note: This specific edit is saved after reboot.

Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

cp_techpub_feedback@checkpoint.com

mailto:cp_techpub_feedback@checkpoint.com?subject=Check Point User Guide feedback

Configuring a Cluster in IPSO 5 with Both Members in Active ModeConfiguring a VSX Cluster MemberConfiguring the Link Aggregation Group (LAG)Cisco Catalyst Switch Commands

Active Active Mode VRRP ConfigurationConfiguring IP Addresses and Enabling VRRP monitor on the LAG interfacesCreating a Virtual System in Bridge ModeSystem Definition

Known Limitations & TroubleshootingDocumentation Feedback

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/SyntheticBoldness 1.000000 /Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure true /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles true /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /NA /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /LeaveUntagged /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice