topic Re: ClusterXL Virtual MAC in Firewall and Security Management

ClusterXL Virtual MAC

Mitesh — Thu, 04 Aug 2022 14:08:16 GMT

Hi,

We having 6200 appliance with us and want to configure ClusterXL VMAC.

Due to shortage of IP Addresses we are not able to configure cluster via Cluster IP (VIP).

For Virtual MAC (VMAC) what will be the requirement & how to can configure the same.

Re: ClusterXL Virtual MAC

Bob_Zimmerman — Thu, 04 Aug 2022 14:23:11 GMT

You still need to have one IP address for the cluster in each network you want it to handle, unless you intend to run in bridge mode.

Each cluster member also needs its own unique IP address in the same network as all other cluster members. The members send heartbeats to each other using these addresses. These per-member IPs don't need to be in the same networks you plan to actually use for traffic. You need to use a separate network per interface. That is, you can't use 10.20.30.1/24 for eth1, 10.20.30.2/24 for eth2, and so on.

Configuring VMAC is pretty easy. It's a checkbox in the cluster settings (same place where you pick between HA and load-sharing clustering modes). When you can take an outage, check the box and push policy. The cluster members will start using the virtual MAC. You do need an outage window, because other endpoints on the networks may not see the MAC change until their ARP entries time out.

Re: ClusterXL Virtual MAC

Chris_Atkinson — Thu, 04 Aug 2022 14:42:46 GMT

sk32073 and ClusterXL admin guide describe the configuration.

Note there are some ARP requirements you may need to be aware of, please refer:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/Limitations-of-cluster-IP-addresses-on-different-subnets.htm

Re: ClusterXL Virtual MAC

Mitesh — Thu, 04 Aug 2022 16:01:21 GMT

Thanks Bob for the reply....

What i understand from reply is that we have to assign IP Addresses to each appliances interfaces.

	FW-A	FW-B
eth1 (WAN)	113.10.40.50	113.10.40.51
eth2 (LAN)	192.168.0.1	192.168.0.2

Is the above understanding is right.

Re: ClusterXL Virtual MAC

Kaspars_Zibarts — Thu, 04 Aug 2022 20:39:18 GMT

Remember that you do have an option to have VIP in one subnet (say your real public IP) and cluster members can be configured using "dummy" private IPs. If you have shortage of IPs. It's described in ClusterXL admin guide, i.e.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/Cluster-IP-addresses-on-different-subnets.htm

Bear in mind that the feature has its limitations and you need to consider those before proceeding.

Not too sure if it helps with your VMAC dillema though

Re: ClusterXL Virtual MAC

JozkoMrkvicka — Thu, 04 Aug 2022 20:52:51 GMT

For ClusterXL you need minimum of 3 IPs to be reserved from one subnet, example 10.0.0.0/24:

1. VIP (10.0.0.1/24)

2. 1st node IP (10.0.0.2/24)

3. 2nd node IP (10.0.0.3/24)

If you are running out of free IPs, your next option can be to convert to VSX where you will need only VIP IP to be reserved for the Virtual System (10.0.0.1/24). Remaining 2 IPs (10.0.0.2/24 and 10.0.0 3/24) are not needed anymore and can be used for end devices instead.

Re: ClusterXL Virtual MAC

Bob_Zimmerman — Thu, 04 Aug 2022 22:37:53 GMT

Yep. That’s why I said “These per-member IPs don't need to be in the same networks you plan to actually use for traffic.” 😉

Off-net member IPs aren’t commonly used outside of VSX (where they are mandatory, but automatically handled). They work well, though. I have a firewall in production which works like a more extreme version of that. I manually fake all the normal layer-3-to-2 stuff. It was built to deal with some absolutely nightmarish requirements.