routed seems to finally work

We have a fairly huge dynamic routing infrastructure and the new ‘routed’ daemon was pretty flaky for a long time, since its release April 2013.  Last week we finally got a version routed-0.1-cp986005013.i386.rpm  that was finally stable and could handle our environment. So I can finally say its time to move dynamic routing to the firewall and you don’t have to worry about crashing your environment when routed suddenly stops working or fails to come up.

Having said that, the management of routed is still weak.

1) No zero downtime upgrades you have to copy routes between members and then delete them
2)Stop/Start clustering and routing separately
3)Debugging is pretty primitive Linux level skills required

Route ON!

dreez

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Henrik Noerr  On October 22, 2014 at 2:05 pm

    Hi Dreez,

    Do you have support for point-to-point links in your build?
    Also the possibility to filter internal ospf routes from the route table?

    I have seen issues on r77.20 with the virtual private cluster net being announced eventhough this should have been fixed in r77.20.

    Best regards,
    Henrik Noerr

    • Henrik Noerr  On October 22, 2014 at 2:05 pm

      I should say, the above have been seen in VSX installations 🙂

      • Dreezman  On October 23, 2014 at 1:47 am

        Sorry, not here so can’t comment.

        Thanks!
        dreez

  • Alex  On November 10, 2014 at 10:12 pm

    Hello Dreezman!

    1) No zero downtime upgrades you have to copy routes between members and then delete them

    When I tested 77.20 with ospf at HA cluster I saw routes from OSPF are exist at main node at netstat -rn and ip route, also at backup node I saw that routes in ip route, but not in netstat -rn. So I thought route sync is working and that should be fixed and no need to make new membership.

    • Dreezman  On November 10, 2014 at 10:17 pm

      Hey Alex,

      I’m interested in this, but not sure I understood what you are saying. YES, the netstat -rn and ‘show route ospf” are different.

      Did you say that R77.20 upgrade, the HIGHER version member in READY state had OSPF routes?

      Thanks
      dreez

      • Alex  On November 10, 2014 at 11:26 pm

        I mean that “ip route” shows routes, that are installed in kernel and used.
        In 77.20 HA cluster with dynamic routing I see at master and backup nodes of checkpoint GW dynamic routes are in kernel, so if you make failover, you do not need to make new membership with other routers, get new routes, install them. That routes are already exists at both nodes.
        So, theoretically, non-stop-forwarding update of cluster should not be a pain now. I say “theoretically” because I have not tested it, but saw that at site of one of my custumers. A bit later I’ll make lab to make some proves to myself that it is true.

      • Dreezman  On November 14, 2014 at 2:36 am

        Hey thanks for update. Sorry I still don’t quite understand.

        1) Are you upgrading to R77.20? So the active member is R77.10 with OSPF routes and the “READY” member is at R77.20…and it gets routes from the active member?

        or just failing over and back on a R77.20 cluster

        Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: