Link to home
Start Free TrialLog in
Avatar of netbones
netbonesFlag for United States of America

asked on

Nexus 3K & Check Point FW HA Config

I need help configuring HA between a single Check Point 12K firewall (77.20) and two Cisco Nexus 3K switches (latest rev) in Primary/Secondary mode.  There is a vpc between the two switches.  The goal is to have a connection from each Nexus switch going to a port channel bond on the Check Point firewall (2 ports).

I can handle the Check Point side, I just need to know the correct way to set the Nexus switches up so that if one connection is down (as in the Nexus switch fails) traffic to/from the CP FW fails over automatically to the other Nexus switch.  If I need to have 2 ports from each Nexus going to 4 total ports on the CP that is also a good solution.

In top of the points, the correct solution will also get a $25.00 Starbucks (or the coffee of your choice) gift card.  I need this answer by Tuesday 7/14 so I am very motivated!

Note: These switches are all copper ports except for the interconnects between them.
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of netbones


Hey Thanks.

However I already have the two switches setup that way, what I need is the configuration between the switches and the CheckPoint FW.  My problem is that I assume I need to have a channel bond established on the CP device, but that doesn't translate (to me) back to each switch, since it would in effect break the channel bond (because one leg goes to one switch, the other to the other switch) and the Nexus boxes won't see it as a port channel.
I'm really sorry, but I don't understand.

You would configure the CP device the same way you would if there was a channel to a single device.
It's me that doesn't understand!  So I have 2 ports on the CP box, configured as a port channel and a single IP associated to that bond.

I have 2 Nexus switches in Primary/Secondary mode with a vpc established between the two of them.  

I take port one on the channel bond of the CP box and plug it into a port on Nexus 1, and do the same with port 2  and plug it into a port on the Nexus 2.

Is that really all I need to do, no other configuration on the Nexus boxes?
Yes. That's really all there is to it.  The existence of vPC is completely transparent to the remote device.  As far as your CP device is concerned, it just a channel to another, single device.
I'll be testing the config on Wednesday. Assuming all is well I'll PM you to get your email address to send the Starbucks card to!  Thanks -