topic double vlan IP addresses in Firewall and Security Management

double vlan IP addresses

CPRQ — Fri, 11 Oct 2019 20:26:55 GMT

We are on R80.20 on VSX platform.
when we add a new vlan with specific IP 10.x.x.x it also automatically assigned a new IP 192.168.x.x to same vlan as shown below.
What is the purpose of those IPs 192.168.x.x ?
Also when firewall try to resolve DNS, why it use source IP those 192.168.x.x. addresses Not real IP (10.x.x.x) assigned to vlan .
How firewall can use its real IP 10.x.x.x as a source IP to resolve DNS?

1> show interface bond0.300
ipv4-address 10.10.2.1/24

1> show interface bond0.301
ipv4-address 10.10.3.1/24

1> show interface bond0.302
ipv4-address 10.10.4.1/24

set interface bond0.300 state on
set interface bond0.300 mtu 1500
set interface bond0.300 ipv4-address 192.168.192.50 mask-length 28
set interface bond0.301 state on
set interface bond0.301 mtu 1500
set interface bond0.301 ipv4-address 192.168.192.34 mask-length 28
set interface bond0.302 state on
set interface bond0.302 mtu 1500
set interface bond0.302 ipv4-address 192.168.192.18 mask-length 28

Re: double vlan IP addresses

Wolfgang — Fri, 11 Oct 2019 21:05:14 GMT

CPRQ,

adding these 192.168.xx.xx addresses are normal behaviour.

this the VSX internal network used for internal communication. You can see the configuration of this network here:

SmartDashboard - open VSX cluster object - go to "Cluster Members" pane - refer to section "Cluster members internal communication network"

For outgoing connections from the VSX-cluster they should be NATed behind the configured IP of the interface. The behaviour of this NAT is described in Outgoing connections from Virtual System in VSX cluster are sent with source IP address that belongs to cluster Internal Communication Network instead of cluster Virtual IP address

Wolfgang

Re: double vlan IP addresses

CPRQ — Mon, 14 Oct 2019 14:41:29 GMT

Thank you. We are going through the SK, it seems exactly what we are seeing and looking answer for it. Thanks