Hi,
Thanks for your quite thorough explanations. If that so, beside not to
use VLAN tagging (but only in Cisco switches), is there any important
settings that I should take note? I just knew that I have to disable
IGMP snooping on Cisco switches.
Thanks very much.
Regards,
Alex
Fabrice BARUTEL wrote:
Hi,
as you talk about "First, VLANs cannot be used in the synchronization
network in any version", I understand you have only one physical link to
each Cisco 6500 per each Checkpoint server. So, I deduce you wanted to
enable VLAN tagging on this physical interface, which would support all your
networks and synchronization network.
If you didn't enable VLAN tagging on Checkpoint server, VLAN tagging would
not be seen by Checkpoint server. Here, I have a clusterXL with Cisco
Catalyst 29xx switches working with VLANs and some VLAN trunks on Cisco side
(-> so VLANs are transmitted under trunk), AND I do not use VLAN tagging on
Checkpoint server : it works like a charm ! It's because Checkpoint doesn't
see VLAN tagging on Cisco switches, it thinks it's like physicals dedicated
networks.
I also advice you to backup trunk between Cisco 6500 (if it is possible, do
it with link different from fiber) : because if your fiber failed, so your
trunk failed too, synchronization network would fail, so each member of
ClusterXL could think the other member is down => I think it will be the
panic (each member could be Active). Synchronization is the "heart beat" of
Cluster in general, so it is very important to have a reliable one.
This time, I hope I explained better and understood your problem well.
--
Fabrice BARUTEL
fabrice.barutel AT steria DOT com
------------------------------
Date: Wed, 19 Apr 2006 17:11:12 +0800
From: "Alex S." <alexals AT KKIPC DOT COM>
Subject: Re: State Sync does not supports VLAN ?
Hi,
What do you mean by 'level 2' ? By the way, our Check Point server does
not enable VLAN tagging on its interfaces.
Regards,
Al
Fabrice BARUTEL wrote:
Hi,
I think you should deal only with level 2 on your Cisco 6500 with VLAN
tagging, because of your synchronization network shouldn't be tagged on
the
Checkpoint side. Then Checkpoint servers will not see that your Cisco
switches used VLAN.
Try to create a new VLAN for the synchronization network, which will be
transfered/tagged accross your trunk between your two Cisco 6500.
Good luck.
--
Fabrice BARUTEL
------------------------------
Date: Wed, 19 Apr 2006 13:04:42 +0800
From: "Alex S." <alexals AT KKIPC DOT COM>
Subject: State Sync does not supports VLAN ?
Hi there,
I read about State Synchronization in ClusterXL document saying that
"There are two restrictions to the synchronization network:
First, VLANs cannot be used in the synchronization network in any
version. Second, in older versions, the interface used for the
synchronization network must be a real interface with a real IP address
(as opposed to a cluster IP or a virtual IP)." page 15.
I have two Cisco Catalyst 6500 series which is connected each other
fibre (trunk together) and our firewall are connected to it on both side
through dedicated VLAN two on location A and one in location B).
My question is does it really works? Anybody had done a state sync
across two routing switches before? If yes, can someone kindly give me a
guide about this?
Thanks very much.
Regards,
Al.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
