topic Re: VSX - Virtual Switch/Router query in Firewall and Security Management

VSX - Virtual Switch/Router query

madu1 — Wed, 26 Jun 2024 18:45:11 GMT

Question regarding VSX...

I have a VS with a VLAN 20 interface on 10.1.1.1.

I need to create a second VS and would ideally like the same network behind it, but it won't let me use VLAN 20 as it's already is use on another VS.

Hugely over simplified diagram below showing what I'd like to achieve. The reasoning (because I'm sure you're wondering) is because VPN's on VS1 are screwed, so while that's being debugged I was hoping for a really quick fix by creating a new VS and bringing certain critical VPN traffic in through VS2 and still being able to access the kit on VLAN 20 that is already behind VS1.

Documentation hasn't been massively helpful in explaining this scenario. Is there a way to do what I need? I basically need to create the 'green line' on the diagram.

Would a Virtual Switch allow me to do this?

I'm also happy to have a different VLAN and subnet on VS2 if that's easier. I'm guessing a Virtual Router is needed in that case? But it's running VSLS and I gather VR's and VSLS don't play nicely?

(R81.20, managed from Multi Domain)

Re: VSX - Virtual Switch/Router query

Lesley — Wed, 26 Jun 2024 19:17:38 GMT

Overlap with IP space should not be the issue here as stated in

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/VSX-Routing-Concepts.htm

Overlapping IP Address Space

VSX facilitates connectivity when multiple network segments share the same IP address range (IP address space).

This scenario occurs when a single VSX Gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses.

Thus, it is feasible that more than one endpoint in a VSX environment will have the identical IP address, provided that each is located behind different Virtual System.

Overlapping IP address space in VSX environments is possible because each Virtual System maintains its own unique state and routing tables.

These tables can contain identical entries, but within different, segregated contexts.

Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more external IP addresses.

The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping IP address ranges, using NAT at each Virtual System.

VLAN overlap can be solve by adding indeed a virtual switch. See also this topic for more info

https://community.checkpoint.com/t5/Maestro/Maestro-VSX-Configure-same-vlan-id-on-different-bond-VS/m-p/206121#M2421

Re: VSX - Virtual Switch/Router query

madu1 — Wed, 26 Jun 2024 20:56:42 GMT

Hi @Lesley , thanks for your reply. I've tried this tonight while the office is empty and it works a treat.

I was a bit nervous at first because I couldn't create the virtual switch on VLAN 20 - once again, it was already in use.

I deleted that VLAN interface from VS1, then added the virtual switch on the main VSX using VLAN 20, added a new interface "Leads to virtual switch" on VS1 and put the IP back on. Same on VS2, then VPN'd into VS2 and I can hit the servers originally behind VS1. Great result!

I've learnt to name the virtual switch something relevant as you can't rename it once it's there.

Thanks again!

Re: VSX - Virtual Switch/Router query

Chris_Atkinson — Thu, 27 Jun 2024 01:32:12 GMT

Using a Virtual Switch is the usual way this is facilitated.

Re: VSX - Virtual Switch/Router query

madu1 — Thu, 27 Jun 2024 07:44:45 GMT

Thanks again. I don't have much day-to-day exposure to VSX, it's quite a simple deployment and it's sat there and ran with no problems for 10 years. I'm glad I've learnt something new 🙂