This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckMate
Explorer
‎2019-10-29 08:17 PM

Cluster to cisco L3 port

Hello All,

 

I am trying to setup and L3 port on a cisco switch to connect to a checkpoint Cluster-XL, i cannot figure out how to configure the interfaces on the checkpoint members to manage the traffic coming from the switch.

I have tried adding two switch ports into a port-channel with one of each ports going to the cluster members, however this does not seem to work.  

Can someone please advise on the correct way to do this?

checkpoint-cisco.PNG
Preview file
29 KB
0 Kudos
5 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-30 02:12 AM

- Use two layer 2 ports in the same vlan on the switch.

- Now connect the CP gateways to this ports

- If you use CCP multicast -> do not configure multicast port security on the switch ports

More read here:
R80.x - cheat sheet - ClusterXL

ClusterXL R80.30 Administration Guide 

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
CheckMate
Explorer
‎2019-10-30 04:32 PM
In response to HeikoAnkenbrand

Thanks for your reply,

If use layer 2 i will not be able to add and IP to the cisco switch for the gateway of the LAN

0 Kudos
mdjmcnally
Advisor
‎2019-10-30 04:51 AM

You either use

1.) Single Port on Cisco to Single Port on Check Point, so 1 cable per member NO Port Channel,2 Cables overall

2.) Port Channel on Cisco to Bond Interface on Check Point.   ie 2 cables from Cisco to 2 interfaces on the same Check Point that are bonded together, so 4 Cables/Ports used on the Cisco and 2 each on each Check Point Member

You cannot bond interfaces or split a bond on the Cisco across 2 Cluster Members.

You can if your switches can handle it split a Port Channel across 2 Switches and then use a Bond on the Check Point so basically the opposite way to what you trying to do currently.  Again would be 4 Cables/Ports in the Cisco and 2 ports on each Check Point.

 

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-30 05:40 AM

To get your Layer-3 interface going, you need to define a VLAN with the IP that you want on that connection to the Check Point cluster, you add 2 access ports to this VLAN and you connect the 2 Check Point gateways to these 2 ports.
Regards, Maarten
0 Kudos
CheckMate
Explorer
‎2019-10-30 04:51 PM
In response to Maarten_Sjouw

Thanks for the reply, 

So the cisco switch does not need to be a "no switchport" in order to route the traffic?  I can apply the IP to the vlan and do an ip route 0.0.0.0 0.0.0.0 "VLAN IP". is this correct ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top