[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] State Sync in 4.1 Beta

To: Carric Dooley <carric@com2usa.com>
Subject: Re: [FW1] State Sync in 4.1 Beta
From: Harry_Chu@Instinet.com
Date: Wed, 10 Nov 1999 09:01:21 -0500
Cc: fw-1-mailinglist@lists.us.checkpoint.com


Dooley,

I've been in touch with them during the initial implementation which was close
to 6 months ago.  I was informed that VRRP is only for failover.  I have also
been in touch with them in the past weeks regarding load sharing, they have not
changed their position.  The only direction they gave us was to look into layer
4 switch and disable VRRP.

Unless you can explain your point please do not make this claim, it is not
productive to the list to put out information which can not be confirmed nor
backed up by whoever offered it.

HC






"Carric Dooley" <carric@com2usa.com> on 11/09/99 05:43:33 PM

To:   Harry Chu/CTS/US/INSTINET@INSTINET
cc:
Subject:  Re: [FW1] State Sync in 4.1 Beta




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Harry,

Perhaps you should call your Nokia vendor.  They will tell you load
sharing can be accomplished through VRRP.  They just don't recommend
it.


Carric Dooley
Network Security Consultant

"A little inaccuracy sometimes saves a ton of explanation. "
- - H. H. Munro (Saki) (1870-1916)
- -----Original Message-----
From: Harry_Chu@Instinet.com <Harry_Chu@Instinet.com>
To: Carric Dooley <carric@com2usa.com>
Date: Tuesday, November 09, 1999 5:12 PM
Subject: Re: [FW1] State Sync in 4.1 Beta


>
>Dooley,
>
>You are incorrect.  That is not how VRRP works.
>
>VRRP gives you a virtual/shared IP Address.  Sort of like HSRP for
>Cisco.  Only on system can own the IP at a time.  VRRP can only be
>used for failover, hence hotstandby.  VRRP does nothing with load
>sharing.
>
>Also, dynamically routing and trading routes with neighboring
>routers will work for load sharing based on networks.  However, it
>then can not be used in conjunction with VRRP.  Remember VRRP is a
>virtual address.  It represents 1 of 2 systems.  The correct VRRP
>implementation is to have your neighboring routers point to the
>virtual address, that way if you lose one, there is another to take
>its plan.  If you are dynamically routing for failover or load
>sharing you won't and can point to a virtual address.  It won't
>work.
>
>Also, if you support HIDES with VRRP, you should hide behind the
>virtual addresses to support the failover model
>
>HC
>
>
>
>
>
>
>"Carric Dooley" <carric@com2usa.com> on 11/09/99 04:54:44 PM
>
>To:   Harry Chu/CTS/US/INSTINET@INSTINET
>cc:
>Subject:  Re: [FW1] State Sync in 4.1 Beta
>
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Here, read this thread:
>
>*********************************************************************
> ** I think the main issue to acknowledge is that there exists a
>need to distribute the load. This has got to be because one firewall
>can't handle it by itself, and, since you have a pair for HA, you
>might as well put your money to work.
>
>If the solution is based upon routing, with assistance from VRRP,
>this is not a performance hit. If the solution involves NAT, hiding
>behind 0.0.0.0, which effectively uses the IP address of the exit
>interface
>of the firewall, then you have a performance hit due to NAT.
>
>The asymmetric routing problem occurs when the external router
>thinks that all of the IP addresses behind the firewalls can be
>reached by forwarding packets to one IP address. If you can
>configure the external router to forward packets to subnet A through
>IP address A and packet to subnet B through IP address B, then you
>eliminate the asymmetric route condition.
>
>Jerald Josephs
>jjosephs@pacbell.net
>- ----- Original Message -----
>From: Carric Dooley <carric@com2usa.com>
>To: Jerald Josephs <jjosephs@pacbell.net>
>Sent: Thursday, October 28, 1999 12:57 PM
>Subject: Re: [FW1] VRRP on a Nokia for aliased interfaces
>
>
>> I missed what he meant about the 192.168.2 and 192.168.1.  I see
>> what you
>are saying.  So is it the fact that there are two networks on the
>private
>side instead of one that eliminates the asymmetric routing problems?
>My
>Nokia rep originally told me it can be done, but isn't really a good
>idea,
>but we were talking in terms of one internal net to the outside
>world.
>>
>>
>> -----Original Message-----
>> From: Jerald Josephs <jjosephs@pacbell.net>
>> To: Chris Shenton <cshenton@uucom.com>
>> Cc: fw-1-mailinglist@lists.us.checkpoint.com
><fw-1-mailinglist@lists.us.checkpoint.com>
>> Date: Thursday, October 28, 1999 3:27 PM
>> Subject: Re: [FW1] VRRP on a Nokia for aliased interfaces
>>
>>
>> >
>> >Both the Alteon and the RadWare FireProof boxes
>> >maintain a table to know which firewall was assigned the
>> >connection.
>> >
>> >It is my understanding that when you but the load balancing
>> >boxes on both sides of the firewalls, the LB boxes communicate
>> >with each other so that symmetric routing is maintained. This
>> >answers Chris' last question.
>> >
>> >To get back to the very original topic, VRRP can be configured
>> >to support a load distribution as suggested. The main problem is
>> >maintaining the symmetric route. NAT in Dynamic mode can assist
>> >in this, but we have seen that if a site needs to distribute the
>> >load it
>is
>> >most likely enough of a load to where NAT slows things down.
>> >
>> >So, the idea of putting both 192.168.1.0 and 192.168.2.0 on the
>> >same wire or connecting the two firewalls to both hubs supporting
>> >these two networks is a great alternative.
>> >
>> >Consider this:
>> >
>VRRP Master of:                                          VRRP Backup
>of
>> >firewall-a:       eth-s1p1 is x.x.x.2
>> >x.x.x.4 x.x.x.5
>> >                        eth-s1p2 is 192.168.1.2
>> > 192.168.1.1
>> >                        eth-s1p3 is 192.168.2.2
>> >192.168.2.1
>> >
>> >firewall-b:       eth-s1p1 is x.x.x.3
>> >x.x.x.5 x.x.x.4
>> >                        eth-s1p2 is 192.168.1.3
>> >192.168.1.1
>> >                         eth-s1p3 is 192.168.2.3
>> > 192.168.2.1
>> >
>> >VRRP would also be running on the external interface.
>> >It would be configured to support two virtual routers.
>> >If I was to assume that firewall-a was .2 on the external
>> >network, and firewall-b was .3 on the external network, then
>> >allow for me to create .4 and .5 as the virtual routers.
>> >
>> >If an external router has a static route using x.x.x.4 for
>> >192.168.1.0 and another one using x.x.x.5 for 192.168.2.0, then
>> >you have created a load distribution model.
>> >
>> >All hosts on 192.168.1.0 use 192.168.1.1 as their default gateway
>> >Any network connection that passes through the firewall that owns
>> >192.168.1.1
>> >should come back through the same firewall because it would also
>> >own
>x.x.x.4
>> >on the external interface.
>> >
>> >All hosts on 192.168.2.0 use 192.168.2.1 as their default gateway
>> >Any network connection that passes through the firewall that owns
>> >192.168.2.1
>> >should come back through the same firewall because it would also
>> >own
>x.x.x.5
>> >on the external interface.
>> >
>> >Jerald Josephs
>> >jjosephs@pacbell.net
>> >
>> >
>*********************************************************************
> ************************
>
>Carric Dooley
>Network Security Consultant
>
>"A little inaccuracy sometimes saves a ton of explanation. "
>- - H. H. Munro (Saki) (1870-1916)
>- -----Original Message-----
>From: Harry_Chu@Instinet.com <Harry_Chu@Instinet.com>
>To: Carric Dooley <carric@com2usa.com>
>Cc: fw-1-mailinglist@lists.us.checkpoint.com
><fw-1-mailinglist@lists.us.checkpoint.com>
>Date: Tuesday, November 09, 1999 3:36 PM
>Subject: Re: [FW1] State Sync in 4.1 Beta
>
>
>>
>>Hmmm,,
>>
>>I may disagree with that.  Do you have details explaining load
>>sharing with Nokia's.  We have many in productions now running VRRP
>>and state syncing, but load sharing isn't at all in place.  It is
>>setup in a hotstandby arch.
>>
>>Please explain.
>>HC
>>
>>
>>
>>
>>
>>"Carric Dooley" <carric@com2usa.com> on 11/09/99 02:47:10 PM
>>
>>To:   Harry Chu/CTS/US/INSTINET@INSTINET,
>>      fw-1-mailinglist@lists.us.checkpoint.com
>>cc:
>>Subject:  Re: [FW1] State Sync in 4.1 Beta
>>
>>
>>
>>
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>You can do this with 4.0... the Nokias can be setup to load share.
>>It requires a specific config, but it can be done.
>>
>>
>>Carric Dooley
>>Network Security Consultant
>>
>>"A little inaccuracy sometimes saves a ton of explanation. "
>>- - H. H. Munro (Saki) (1870-1916)
>>- -----Original Message-----
>>From: Harry_Chu@Instinet.com <Harry_Chu@Instinet.com>
>>To: fw-1-mailinglist@lists.us.checkpoint.com
>><fw-1-mailinglist@lists.us.checkpoint.com>
>>Date: Tuesday, November 09, 1999 2:37 PM
>>Subject: [FW1] State Sync in 4.1 Beta
>>
>>
>>>
>>>
>>>I've hear rumors that in Firewall-1 4.1 Beta it is possible to
>>>sync state tables accross mulitiple firewalls.  My obvious
>>>motivation is to load share in the future, this would be a
>>>requirement.  Could anyone confirm or disclaim this?
>>>
>>>HC
>>>
>>>
>>>
>>>
>>>===================================================================
>>>
>>> ==========
>>>     To unsubscribe from this mailing list, please see the
>>> instructions at
>>>               http://www.checkpoint.com/services/mailing.html
>>>===================================================================
>>>
>>> ==========
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: PGPfreeware 6.5.1 for non-commercial use
>><http://www.pgp.com>
>>
>>iQA/AwUBOCh6OOuEoPqp8SMeEQL3XgCfffPLYQ+pzNNgLxGR56VUlg41ImYAoOr7
>>e+lJQerv70pQH32dNkSqcVwv
>>=+7ss
>>-----END PGP SIGNATURE-----
>>
>>
>>
>>
>>====================================================================
>> ==========
>>     To unsubscribe from this mailing list, please see the
>> instructions at
>>               http://www.checkpoint.com/services/mailing.html
>>====================================================================
>> ==========
>>
>>
>>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.1 for non-commercial use
><http://www.pgp.com>
>
>iQA/AwUBOCiYHuuEoPqp8SMeEQKQ2QCg6I7AqxbqDGqCE2oMJZpdo3xVGm4AoK3e
>9ecOS/URdMM8qI7qevv42qDA
>=ySO+
>-----END PGP SIGNATURE-----
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBOCijjuuEoPqp8SMeEQJ1CQCg7tVaWwO91ojBaZ5adVwHoA1GKEcAnR8t
mZP2/2eWULbuYHEWzxWLRgiZ
=2Wl5
-----END PGP SIGNATURE-----








================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] How does a firewall-1 rule work?
Next by Date: [FW1] rainwall solution
Prev by thread: RE: [FW1] State Sync in 4.1 Beta
Next by thread: Re: [FW1] State Sync in 4.1 Beta
Index(es):
- Date
- Thread