This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ziggurat
Participant
‎2020-12-05 07:11 PM

Check Point firewall entries in Cisco ARP table

Hi everyone

 

This is probably a simple one so apologies in advance. I have a Check Point 5800 HA cluster in a Data Centre and following some work on a Cisco Nexus, looked at the ARP table and saw the following for my firewalls:

 

Internet 19.23.13.140 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP VRRP)
Internet 19.23.13.141 0 001c.7f81.13a8 ARPA GigabitEthernet0/0/0 (CP 1 interface)
Internet 19.23.13.142 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP 2 interface)

 

Can someone tell me why CP2 MAC address is the same as CP VRRP? I was thinking that CP2 is acting as the master but would appreciate if this could be confirmed.

 

Many thanks

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-12-05 09:00 PM

Depending on the configuration that seems…plausible.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-12-05 10:57 PM

ClusterXL uses the same MAC unless you tell it to use a vMAC, VRRP however by default uses a vMAC, which type is defined by the command you add your VIP addresses with.

These are the options to set the vMAC per VIP:

vmac-mode

VRRP - Sets the VMAC to the format outlined in the VRRP protocol specification RFC 3768. It is automatically set to the same value on all Security Gateways in a Virtual Router. This is the default.

Interface - Sets the VMAC to the local interface MAC address. If you define this mode for the master and the backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs because they are dependent on the physical interface MAC address of the current master.

Static - Manually set the VMAC address. Enter the VMAC address after the static-mac keyword.

Note - If you configure different VMACs on the master and backup, you must make sure that you select the correct proxy ARP setting for NAT.

Extended - Gaia dynamically calculates and adds three bytes to the interface MAC address to generate more random address. If you select this mode, Gaia constructs the same MAC address for master and backups in the Virtual Router.

Note - If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer or during failover. This is caused by duplicate IP addresses for the master and backup. This is expected behavior because the master and backups temporarily use the same virtual IP address until they get master and backup status.

So it looks like your VRRP VIP for this interface has been set with the option vmac-mode interface.

in clish do:

show configuration mcvr

This will show you all VIP commands.

 

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events