Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

Cluster to cisco L3 port

Hello All,

 

I am trying to setup and L3 port on a cisco switch to connect to a checkpoint Cluster-XL, i cannot figure out how to configure the interfaces on the checkpoint members to manage the traffic coming from the switch.

I have tried adding two switch ports into a port-channel with one of each ports going to the cluster members, however this does not seem to work.  

Can someone please advise on the correct way to do this?

0 Kudos
Reply
5 Replies

- Use two layer 2 ports in the same vlan on the switch.

- Now connect the CP gateways to this ports

- If you use CCP multicast -> do not configure multicast port security on the switch ports

More read here:
R80.x - cheat sheet - ClusterXL

ClusterXL R80.30 Administration Guide 

 

 

0 Kudos
Reply
Explorer

Thanks for your reply,

If use layer 2 i will not be able to add and IP to the cisco switch for the gateway of the LAN

0 Kudos
Reply
Advisor

You either use

1.) Single Port on Cisco to Single Port on Check Point, so 1 cable per member NO Port Channel,2 Cables overall

2.) Port Channel on Cisco to Bond Interface on Check Point.   ie 2 cables from Cisco to 2 interfaces on the same Check Point that are bonded together, so 4 Cables/Ports used on the Cisco and 2 each on each Check Point Member

You cannot bond interfaces or split a bond on the Cisco across 2 Cluster Members.

You can if your switches can handle it split a Port Channel across 2 Switches and then use a Bond on the Check Point so basically the opposite way to what you trying to do currently.  Again would be 4 Cables/Ports in the Cisco and 2 ports on each Check Point.

 

 

0 Kudos
Reply
Champion
Champion

To get your Layer-3 interface going, you need to define a VLAN with the IP that you want on that connection to the Check Point cluster, you add 2 access ports to this VLAN and you connect the 2 Check Point gateways to these 2 ports.
Regards, Maarten
0 Kudos
Reply
Explorer

Thanks for the reply, 

So the cisco switch does not need to be a "no switchport" in order to route the traffic?  I can apply the IP to the vlan and do an ip route 0.0.0.0 0.0.0.0 "VLAN IP". is this correct ?

0 Kudos
Reply