topic Re: Replacement of a VRRP Cluster in Firewall and Security Management

Replacement of a VRRP Cluster

Josh28 — Tue, 21 Nov 2023 08:47:52 GMT

Dear mates,

I’m in charge of replacing a cluster of 12600 configured in VRRP and running R80.20 to a new cluster of 6600 running R81.10. From experience of hardware replacement, and after reading some posts here, I think of doing the following:

Install the new gateways using the clish configuration of the old ones by keeping the same IP address configurations, proxy arp / mcvr configs, static routes etc, fwkern.conf file etc...
Power off the 12600 standby member and connect to R81.10 new standby member
On the 6600, from the CMA, redo SIC, change cluster version and hardware model, fix topology as some interfaces name changed and install the policy in the gateway
Power off the 12600 primary unit to force traffic on the new 6600
Repeat the operation with the second R81.10 member etc…

Usually I don’t really think of ARP issue because of the VMAC feature of ClusterXL but being new to VRRP, I’m having seconds thoughts.

On the router side, on the PortChannel of the 12600 I see the following mac addresses :

Mac addresses declared on the MCVR configuration: to the best of my knowledge, those shouldn’t be impacted by the replacement as I’ll configure them on the new devices
Physical mac address associated to the bonding interfaces (50+ Vlans): this mac address will change and therefore require a G-ARP to update the mac address table of the router ? Easiest way would be to clear the arp cache on the Port-channel to force the update

Am I wrong on the analysis ? Is there some things I should verify before/after the switch of the cluster ?

Any tips will be appreciated.

Thanks.

Re: Replacement of a VRRP Cluster

G_W_Albrecht — Tue, 21 Nov 2023 08:56:03 GMT

What about the SMS ?

Re: Replacement of a VRRP Cluster

Josh28 — Tue, 21 Nov 2023 09:08:31 GMT

Hi,

Management is done through a MDSM already running R81.10.

Re: Replacement of a VRRP Cluster

Martijn — Tue, 21 Nov 2023 10:02:40 GMT

Hi,

So the new cluster will also be VRRP or are you going for ClusterXL on the new setup?

If you stay with VRRP and use the same VRRP router ID, the virtual MAC for the virtual IP's should not change.
ClusterXL by default uses the MAC of the active member, but with VMAC you can change this if you like.

Yes, the MAC of the bonding group will change, but if you are going for VRRP or VMAC that should not be a problem for the virtual IP's. But in these cases it is always good to know how to send a G-ARP to clear ARP tables. Just in case. Or have access to routers to clear the ARP table on those devices.

Note the current MAC for virtual IP's and compare them after the change.

And with hardware swap, check if local.arp files are created for static NAT.

Martijn

Re: Replacement of a VRRP Cluster

Josh28 — Tue, 21 Nov 2023 10:59:02 GMT

Hi Martijn,

Thanks for your reply.

I’ll Keep VRRP as it’s a customer’s request, with the same configuration so VRIDs will be the same.

I found this post about sending garp from the Check Point https://community.checkpoint.com/t5/Security-Gateways/How-to-send-G-ARP-manually/td-p/69895 seems usefull, but I might just do it from the router side.

Re: Replacement of a VRRP Cluster

the_rock — Tue, 21 Nov 2023 12:14:00 GMT

I really believe below process would be best for you.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216