This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stefano_Chiesa
Explorer
‎2018-10-29 02:45 AM

SPLAT R75.40 - Two VIP on the same cluster interface

Hello all.
Another question on the good old R75.40.
The customer has two subnets (let's say  10.0.136.0/23 and 10.0.141.0/24) used by the WIFI clients. At this moment the Default Gateway assigned by the DHCP server to the WIFI clients are two core switches in LAN (VLAN 100, with an HSRP IP for each subnet).
In the core switch the VLAN has a primary address (on the 136) and a secondaty on the 141 and, as said, two HSRP IPs as clients gateway.

Now the customer wan to logically place those subnets behind an interface of a CP cluster and make it work as DGW.
I tried to think to some solutions but I have several doubts.

1. I could configure two IPs (primary and secondaty) to a cluster member interface but CP does not support VIP on a secondary IP (sk89980)
2. The two subnets could be placed in two different VLANs (i.e. VLAN 100 for the 136 and VAN101 for the 141). in ths way the CP cluster could manage two VIPs on the same IF but the changes needed in the general configuration (switches, dhcp server...) would be really complex (on a production environment)
3. Yes, I could configure the two subnets on two different FW phisycal interfaces, but consuming all the available FW interfaces

Following solution (1) and:
* configuring the IF with primary and a secondary IP
* assigning a cluster VIP only on the primary 136 subnet (subnet 141 probably hidden to the cluster, not sure)
* manual ARP on each cluster member with the 141 requested VIP and MAC of the physical (or virtual?) interface (of course all cluster features would not work for this address, for example the failover)

Would the cluster see the 10.0.141 subnet as locally connected network and forward traffico to and from the manually natted IP?
Or do you know another way to achieve this goal?

Thanks to everybody, especially to ones that lost their time reading this a little  confused post.

Stefano.

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-10-29 04:28 AM

I would rather upgrade - an unsupported version will leave the customer alone in times of trouble, and every greater change (like the one above) could make it stop working. Contemplating a R80.10 upgrade would be the best you can do here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Stefano_Chiesa
Explorer
‎2018-10-29 05:22 AM
In response to G_W_Albrecht

Hello Gunther, you're absolutely right but the customer decide. We could deny the support but they pay for it, so I have to find a solution inside this environment....

Thanks anyway....

Stefano

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-10-29 05:27 AM

As you noted ClusterXL does not support more than one VIP/CIP on a single interface.  VRRP does support more than one address per interface, but I wouldn't recommend migrating to VRRP just to solve this problem.  You can try to monkey around with ARP and such to make two IP subnets work on the same VLAN/segment, but keep in mind that ClusterXL controls ARP so even if you somehow make that work it won't be a supported configuration and could suddenly break at any time, especially during a version upgrade or HFA application.

Can you just expand the 10.0.136.0/23 subnet to 10.0.136.0/22 for 1022 hosts total and get rid of 10.0.141.0/24 entirely?  Are there fixed IP assignments in the 10.0.141.0/24 subnet not subject to DHCP assignment?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Stefano_Chiesa
Explorer
‎2018-10-29 05:41 AM
In response to Timothy_Hall

Hello Timothy, thanks for your comment.

Unfotunately I cannot expand the 136 subnet.  I'll try to play with manual ARP.

I know that is not a standard/supported configuration but that cluster already have other "less" standard configs, so we're aware of this....!

Thanks again.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events