This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mitesh
Participant
‎2022-08-04 07:08 AM

ClusterXL Virtual MAC

Hi,

We having 6200 appliance with us and want to configure ClusterXL VMAC.

Due to shortage of IP Addresses we are not able to configure cluster via Cluster IP (VIP).

For Virtual MAC (VMAC) what will be the requirement & how to can configure the same.

0 Kudos
6 Replies
Bob_Zimmerman
Authority
Authority
‎2022-08-04 07:23 AM

You still need to have one IP address for the cluster in each network you want it to handle, unless you intend to run in bridge mode.

Each cluster member also needs its own unique IP address in the same network as all other cluster members. The members send heartbeats to each other using these addresses. These per-member IPs don't need to be in the same networks you plan to actually use for traffic. You need to use a separate network per interface. That is, you can't use 10.20.30.1/24 for eth1, 10.20.30.2/24 for eth2, and so on.

Configuring VMAC is pretty easy. It's a checkbox in the cluster settings (same place where you pick between HA and load-sharing clustering modes). When you can take an outage, check the box and push policy. The cluster members will start using the virtual MAC. You do need an outage window, because other endpoints on the networks may not see the MAC change until their ARP entries time out.

0 Kudos
Mitesh
Participant
‎2022-08-04 09:01 AM
In response to Bob_Zimmerman

Thanks Bob for the reply....

What i understand from reply is that we have to assign IP Addresses to each appliances interfaces.

 FW-AFW-B
eth1 (WAN)113.10.40.50113.10.40.51
eth2 (LAN)192.168.0.1192.168.0.2

 

Is the above understanding is right.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2022-08-04 01:39 PM
In response to Bob_Zimmerman

Remember that you do have an option to have VIP in one subnet (say your real public IP) and cluster members can be configured using "dummy" private IPs. If you have shortage of IPs. It's described in ClusterXL admin guide, i.e.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/C... 

Bear in mind that the feature has its limitations and you need to consider those before proceeding. 

Not too sure if it helps with your VMAC dillema though

 

 

 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2022-08-04 03:37 PM
In response to Kaspars_Zibarts

Yep. That’s why I said “These per-member IPs don't need to be in the same networks you plan to actually use for traffic.” 😉

Off-net member IPs aren’t commonly used outside of VSX (where they are mandatory, but automatically handled). They work well, though. I have a firewall in production which works like a more extreme version of that. I manually fake all the normal layer-3-to-2 stuff. It was built to deal with some absolutely nightmarish requirements.

Chris_Atkinson
Employee Employee
Employee
‎2022-08-04 07:35 AM

sk32073 and ClusterXL admin guide describe the configuration.

Note there are some ARP requirements you may need to be aware of, please refer:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/L...

CCSM R77/R80/ELITE
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2022-08-04 01:52 PM

For ClusterXL you need minimum of 3 IPs to be reserved from one subnet, example 10.0.0.0/24:

1. VIP (10.0.0.1/24)

2. 1st node IP (10.0.0.2/24)

3. 2nd node IP (10.0.0.3/24)

If you are running out of free IPs, your next option can be to convert to VSX where you will need only VIP IP to be reserved for the Virtual System (10.0.0.1/24). Remaining 2 IPs (10.0.0.2/24 and 10.0.0 3/24) are not needed anymore and can be used for end devices instead.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top