|
|
|
In This Section: |
This chapter presents a conceptual overview of VSX cluster deployments, with emphasis on clustering features and their application. It assumes you are familiar with network cluster applications and environments, particularly ClusterXL.
The Cluster Management chapter provides detailed configuration procedures, including instructions for enabling and using all VSX clustering features.
VSX clusters provide redundancy and load sharing features for Virtual Systems and other Virtual Devices. A VSX cluster consists of two or more identical, interconnected VSX Gateways that ensure continuous data synchronization.
VSX High Availability ensures continuous operation by means of transparent gateway failover. Virtual System Load Sharing (VSLS) enhances system performance by distributing active Virtual Systems amongst cluster members.
The advantages of using clusters in a VSX environment include:
VSX clustering is based on Check Point ClusterXL concepts. This section reviews these concepts, and then demonstrates how these principles apply to VSX virtualization.
In typical Security Gateway deployment, a cluster consists of two or more identical, interconnected physical Security Gateways that provide redundancy and/or Load Sharing. This cluster behaves as a single Security Gateway and is assigned its own IP address, which is known as its cluster IP or virtual IP. This cluster IP address is distinct from the physical IP addresses of its cluster members, which are hidden from the networks connected to the cluster.
Traffic from external networks or the Internet directed to the internal networks arrives at the external cluster IP address. Depending on the clustering mode (High Availability or Load Sharing), a designated cluster member receives the traffic and performs the required inspection. After inspection, traffic is either sent to its destination on the internal network, or dropped.
Internal networks send traffic destined for the Internet or external networks, to the cluster IP address. This traffic is processed by the designated cluster member, inspected, and forwarded to its external destination.
Each member interface has a unique, physical IP addresses. These IP addresses which are invisible to physical networks, are used for internal communication between members and the management server for such tasks as downloading policies, sending logs and checking the status of individual cluster members.
VSX clusters, like their physical counterparts, connect two or more synchronized Gateways in such a way that if one fails, another immediately takes its place. VSX clusters are defined at two levels:
VSX ensures that Virtual Systems, Virtual Routers, Virtual Switches and their interfaces are provisioned and configured identically on each cluster member. The figure below shows that each cluster member contains identical instances of each Virtual Device. These identical instances are referred to as peers.
VSX provides the management functionality to support network and security virtualization, including:
