[c-nsp] Nokia Firewall Clustering on 6500 Cisco Switches

Joel M Snyder Joel.Snyder at Opus1.COM
Mon Sep 10 21:28:58 EDT 2007


Well, here's the best advice I can offer...

Nokia clusters have three modes of operation: multicast, unicast, and 
forwarding.

Forwarding is considered to be the most compatible mode, and no switch 
should be having trouble with that.  With forwarding mode, the cluster 
elects a master to receive the traffic using a normal unicast MAC 
address, and the master passes traffic to other cluster members using a 
private link (hopefully) to handle the load balancing.  You get a nice 
scalability there, so long as the path between the cluster nodes is not 
congested.  Given a 1Gb link up, there's only so far you can scale.

The other two modes, unicast & multicast, all depend on a MAC address 
that is either on multiple ports (unicast) or is multicast (multicast) 
and those generally will require some manual locking down of the 
forwarding database.  You get better performance with unicast if you 
need it, but because of the relative speed of things, you will probably 
never need to jump from forwarding mode.

However... you are running really, really old hardware (IP530) and 
really old software (R61), which leads me to wonder if you're not 
finding some old IPSO clustering bug.  I don't know if you've loaded 
IPSO 4.2 or are running something much older, but you should be up to 
rev on that.

Note that the IPSO clustering is completely separate from NGX load 
balancing in terms of configuration and setup, so you should be able to 
have a stable IPSO cluster (using Voyager) before you even bring NGX 
into the picture.

If the cluster is, indeed, stable (try some basic tests to see), then 
you may not have NGX properly linked in.  I just did some tests using 
NGX R65 and it was very solid (although I saw some load balancing 
problems related to NAT).

I would suggest you get 4.2 IPSO and NGX R65 and this should work like a 
champ on any Cisco switch in forwarding mode.  Three weeks ago, I just 
tore down a Nokia Cryptocluster that has been on a 2924 for about 7 
years and it was rock solid with completely stock configuration.

jms



Nick Kassel wrote:
> We have a new Cisco network in test which is using layer 3 routed access
> design all switches are 6509, we are currently trying to test Nokia
> Firewall clustering using IP forwarding. Does anyone have any experience
> of this as we are currently having issues with the cluster. Our firewall
> team seem to think that this may be an issue on the switches, as this
> previously worked fine on our old Nortel environment. On each firewall
> when running the cphaprob state command only the local firewall is shown
> and not both cluster nodes however on the voyager GUI the cluster is
> showing both nodes correctly.
> 
> We have disabled IGMP snooping as recommended from another forum and
> this helped to display both nodes in voyager but not on the individual
> firewalls. 
> 
> Firewall setup consists of 2 x Nokia IP 530 running Checkpoint NGX R61
> with 4 physical network ports with vlans.
> 

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms


More information about the cisco-nsp mailing list