Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
3
Replies

9500 Stackwise Virtual with a pair of Checkpoint Firewall in Active/Standby mode

latenaite2011
Level 4
Level 4

‎01-24-2021 06:33 AM

Does anyone know if can connect to Checkpoint Firewall in active/standby mode using two different port-channel groups to (each port-channel to a different 9500) to a pair of 9500 configured with SWV?

When running on the primary Checkpoint, there are some performance issues and when failing to the standby, it works fine. The topology is provided here. SWV to CP.png

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎01-24-2021 09:00 AM - edited ‎01-24-2021 09:01 AM

Cat 9500 StackWise virtual means (Physically 2, but logically 1)

 

So you will not get high availability based on the diagram

 

instead, i suggest making a dual-homed connection will be good from the design point of view.

 

 

CP Primary - 2 Link to to SWITCH1

CP Primary - 2 Link to to SWITCH2

 

CP Secondary  - 2 Link to to SWITCH1

CP Secondary  - 2 Link to SWITCH2

 

This will give high resilience in terms of connectivity and failure of Stachwise virtual.

 

If they are all in 1 Location, Make sure your SYNC Link dedicated between CP Primary to CP Seconday.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

latenaite2011
Level 4
Level 4
In response to balaji.bandi

‎01-24-2021 11:37 AM

Thanks Balaji, why not? the CP firewall is in active standby mode.

If the primary switch should fail, the it will fail to the standby switch
and at that point, the standby firewall may take over because the primary
firewall will detect some issues and failover.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to latenaite2011

‎01-24-2021 12:48 PM - edited ‎01-24-2021 12:48 PM

Sure that also consider as a Failure case - i agree with you,  since we dont know rest of the network, in general practice we do dual home for suggested design, some case we consider.

 

is your cp cluster xl ? secure xl ? core xl ? design also refer them your vss / svl.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents