|
|
|
In This Section: |
This chapter presents a conceptual overview of VSX Cluster deployments, with emphasis on clustering features and their application. It assumes you are familiar with network cluster applications and environments, particularly ClusterXL.
The Cluster Management chapter provides detailed configuration procedures, including instructions for enabling and using all VSX Cluster features.
For more about Check Point ClusterXL features and functionality, see the R80.30 ClusterXL Administration Guide.
VSX Clusters provide redundancy and load sharing features for Virtual Systems and other Virtual Devices. A VSX Cluster consists of two or more identical, interconnected VSX Gateways that ensure continuous data synchronization.
VSX High Availability ensures continuous operation by means of transparent VSX Cluster Member failover. Virtual System Load Sharing (VSLS) enhances system performance by distributing Active Virtual Systems amongst VSX Cluster Members.
The advantages of using clusters in a VSX environment include:
VSX Cluster is based on Check Point ClusterXL concepts. This section reviews these concepts, and then demonstrates how these principles apply to VSX virtualization.
In typical Security Gateway deployment, a cluster consists of two or more identical, interconnected physical Security Gateways that provide redundancy and/or Load Sharing. This cluster behaves as a single Security Gateway and is assigned its own IP address, which is known as its Cluster IP or Virtual IP address. This IP address is distinct from the physical IP addresses of its VSX Cluster Members, which are hidden from the networks connected to the cluster.
Traffic from external networks or the Internet directed to the internal networks arrives at the external cluster IP address. Depending on the clustering mode (High Availability or Load Sharing), a designated VSX Cluster Member receives the traffic and performs the required inspection. After inspection, traffic is either sent to its destination on the internal network, or dropped.
Internal networks send traffic destined for the Internet or external networks, to the cluster IP address. This traffic is processed by the designated VSX Cluster Member, inspected, and forwarded to its external destination.
Each member interface has a unique, physical IP addresses. These IP addresses, which are invisible to physical networks, are used for internal communication between VSX Cluster Members and the Management Server for such tasks as downloading Security Policies, sending logs and checking the status of individual VSX Cluster Members.
VSX Clusters, like their physical counterparts, connect two or more synchronized Gateways in such a way that if one fails, another immediately takes its place. VSX Clusters are defined at two levels:
VSX ensures that Virtual Systems, Virtual Routers, Virtual Switches and their interfaces are provisioned and configured identically on each VSX Cluster Member. The figure below shows that each VSX Cluster Member contains identical instances of each Virtual Device. These identical instances are referred to as peers.
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
1 |
Virtual System 2 |
|
7 |
VSX Cluster Member 1 |
2 |
Virtual System 1 |
|
8 |
VSX Cluster Member 2 |
3 |
Internet |
|
9 |
VLAN switch |
4 |
Router |
|
10 |
Network 2 |
5 |
External Cluster Interface |
|
11 |
Network 1 |
6 |
Sync |
|
|
VLAN Trunk |
VSX provides the management functionality to support network and security virtualization, including:
