This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Franktum
Contributor
2 weeks ago
Jump to solution

Fail when trying to create a new loopback interface in VSX

Hi:

I have to move a configuration from a regular cluster to a new one in VSX. The current cluster has BGP configured and I came across a problem when trying to create a new loopback interface in order to configure after the router-id.

After introducing the command I got an error:

CPFWL:0> add interface lo loopback 10.4.100.3/32
CLINFR0699 Invalid command.
CPFWL:0>

I tried to create the interface in the right VS, instead of 0, but same error.

The command in the cluster it's in production right now is the same:

add interface lo loopback 10.4.100.3/32

set router-id 10.4.100.3

In R81.20 Gaia Administration Guide, page 186, section Configuring Loopback Interfaces in Gaia Clish, you can read you need exactly that command to create it. What do I have to do to generate the new loopback interface then?

Thanks in advanced

Fran

0 Kudos
3 Solutions

Accepted Solutions
Alex-
MVP Silver
MVP Silver
2 weeks ago
Jump to solution

Loopbacks interfaces aren't supported on VSX.

 

https://community.checkpoint.com/t5/Security-Gateways/Loopback-interface-is-going-out-of-routing-tab...

 

Create an interface in the SmartConsole and use it as router-id even if it won't route any specific traffic.

R82+ VSNext probably give you the possibility to create a loopback but I haven't tried it yet.

View solution in original post

(1)
Bob_Zimmerman
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

A router ID isn't actually an IP address. It doesn't need to belong to an interface.

[Expert@DallasticXL-s01-01:0]# echo "" && printf "${columnExpression}" \
> "VSID" "Interface" "Member IP" "Member MAC" "VIP" "VMAC" && \
> printf "${columnExpression}" \
> "-----" "------------" "------------------" "-----------------" "---------------" "-----------------" && \
> for context in $(ip netns list | cut -d' ' -f1 | sort);do
> vsid=$(echo "${context}" | sed -E "s/^CTX0{0,4}//")
> cphaprobOut=$(ip netns exec "${context}" cphaprob -a if 2>/dev/null)
> for IFACE in $(ip netns exec "${context}" ifconfig -a | egrep "^[^ ]" | awk "{print \$1}" | egrep -v "((gretap|gre|cpfifo_|br|wrpj|erspan)[0-9]+)");do
> interfaceOut=$(ip netns exec "${context}" ip addr show "$IFACE")
> address=$(echo "${interfaceOut}" | egrep "inet [0-9]+\..+${IFACE}$" | awk "{print \$2}")
> mac=$(echo "${interfaceOut}" | egrep "link/ether" | awk "{print \$2}")
> vip=$(echo "${cphaprobOut}" | egrep "$IFACE +[0-9]+" | awk "{print \$2}")
> vmac=$(echo "${cphaprobOut}" | egrep "$IFACE +[0-9]+" | awk "{print \$5}" | tr "A-F" "a-f")
> printf "${columnExpression}" \
> "${vsid:-0}" "$IFACE" "${address:--}" "${mac:--}" "${vip:--}" "${vmac:--}"
> done;done

VSID     Interface          Member IP        Member MAC             VIP              VMAC
----- ------------ ------------------ ----------------- --------------- -----------------
0             Sync       192.0.2.1/24 00:1c:7f:xx:xx:xx       192.0.2.1                 -
0            bond2                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.100    172.16.100.1/24 00:1c:7f:81:02:fc    172.16.100.1                 -
0        bond2.101    172.16.101.1/24 00:1c:7f:81:02:fc    172.16.101.1                 -
0        bond2.102    172.16.102.1/24 00:1c:7f:81:02:fc    172.16.102.1                 -
0        bond2.103    172.16.103.1/24 00:1c:7f:81:02:fc    172.16.103.1                 -
0        bond2.104    172.16.104.1/24 00:1c:7f:81:02:fc    172.16.104.1                 -
0        bond2.124                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.125                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.126                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.127                  - 00:1c:7f:81:02:fc               -                 -
0             eth1                  - 00:1c:7f:xx:xx:xx               -                 -
0             eth2                  - 00:1c:7f:81:02:fc               -                 -
0             eth3                  - 00:1c:7f:81:03:fc               -                 -
0             eth4                  - 00:1c:7f:81:04:fc               -                 -
0             eth5                  - 00:1c:7f:81:05:fc               -                 -
0               lo        127.0.0.1/8                 -       127.0.0.1                 -
0             wrp0      10.0.1.252/24 00:12:c1:10:00:fc      10.0.1.252                 -
1        bond2.120    172.16.120.1/24 00:1c:7f:81:02:fc    172.16.120.1                 -
1        bond2.121    172.16.121.1/24 00:1c:7f:81:02:fc    172.16.121.1                 -
1        bond2.122    172.16.122.1/24 00:1c:7f:81:02:fc    172.16.122.1                 -
1        bond2.123    172.16.123.1/24 00:1c:7f:81:02:fc    172.16.123.1                 -
1               lo        127.0.0.1/8                 -               -                 -
1            wrp64      10.0.1.250/24 00:12:c1:10:08:fc      10.0.1.250                 -
500           Mgmt                  - 00:1c:7f:xx:xx:xx               -                 -
500             lo        127.0.0.1/8                 -               -                 -
500          magg1                  - 00:1c:7f:xx:xx:xx               -                 -

[Expert@DallasticXL-s01-01:0]# gclish

[Global] DallasticXL-s01-01:0> set router-id 1.2.3.4
1_01:
success

1_02:
success

[Global] DallasticXL-s01-01:0> show router-id
1_01:

Router ID:  1.2.3.4


1_02:

Router ID:  1.2.3.4

You can add loopback interfaces in VSNext (R82 plus ElasticXL), but I don't personally see a reason to.

View solution in original post

the_rock
MVP Diamond
MVP Diamond
2 weeks ago
Jump to solution

@Alex- is right. R82+ vsnext does support loopback, but traditional vsx does not.

Best,
Andy

View solution in original post

0 Kudos
6 Replies
Alex-
MVP Silver
MVP Silver
2 weeks ago
Jump to solution

Loopbacks interfaces aren't supported on VSX.

 

https://community.checkpoint.com/t5/Security-Gateways/Loopback-interface-is-going-out-of-routing-tab...

 

Create an interface in the SmartConsole and use it as router-id even if it won't route any specific traffic.

R82+ VSNext probably give you the possibility to create a loopback but I haven't tried it yet.

(1)
Bob_Zimmerman
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

A router ID isn't actually an IP address. It doesn't need to belong to an interface.

[Expert@DallasticXL-s01-01:0]# echo "" && printf "${columnExpression}" \
> "VSID" "Interface" "Member IP" "Member MAC" "VIP" "VMAC" && \
> printf "${columnExpression}" \
> "-----" "------------" "------------------" "-----------------" "---------------" "-----------------" && \
> for context in $(ip netns list | cut -d' ' -f1 | sort);do
> vsid=$(echo "${context}" | sed -E "s/^CTX0{0,4}//")
> cphaprobOut=$(ip netns exec "${context}" cphaprob -a if 2>/dev/null)
> for IFACE in $(ip netns exec "${context}" ifconfig -a | egrep "^[^ ]" | awk "{print \$1}" | egrep -v "((gretap|gre|cpfifo_|br|wrpj|erspan)[0-9]+)");do
> interfaceOut=$(ip netns exec "${context}" ip addr show "$IFACE")
> address=$(echo "${interfaceOut}" | egrep "inet [0-9]+\..+${IFACE}$" | awk "{print \$2}")
> mac=$(echo "${interfaceOut}" | egrep "link/ether" | awk "{print \$2}")
> vip=$(echo "${cphaprobOut}" | egrep "$IFACE +[0-9]+" | awk "{print \$2}")
> vmac=$(echo "${cphaprobOut}" | egrep "$IFACE +[0-9]+" | awk "{print \$5}" | tr "A-F" "a-f")
> printf "${columnExpression}" \
> "${vsid:-0}" "$IFACE" "${address:--}" "${mac:--}" "${vip:--}" "${vmac:--}"
> done;done

VSID     Interface          Member IP        Member MAC             VIP              VMAC
----- ------------ ------------------ ----------------- --------------- -----------------
0             Sync       192.0.2.1/24 00:1c:7f:xx:xx:xx       192.0.2.1                 -
0            bond2                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.100    172.16.100.1/24 00:1c:7f:81:02:fc    172.16.100.1                 -
0        bond2.101    172.16.101.1/24 00:1c:7f:81:02:fc    172.16.101.1                 -
0        bond2.102    172.16.102.1/24 00:1c:7f:81:02:fc    172.16.102.1                 -
0        bond2.103    172.16.103.1/24 00:1c:7f:81:02:fc    172.16.103.1                 -
0        bond2.104    172.16.104.1/24 00:1c:7f:81:02:fc    172.16.104.1                 -
0        bond2.124                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.125                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.126                  - 00:1c:7f:81:02:fc               -                 -
0        bond2.127                  - 00:1c:7f:81:02:fc               -                 -
0             eth1                  - 00:1c:7f:xx:xx:xx               -                 -
0             eth2                  - 00:1c:7f:81:02:fc               -                 -
0             eth3                  - 00:1c:7f:81:03:fc               -                 -
0             eth4                  - 00:1c:7f:81:04:fc               -                 -
0             eth5                  - 00:1c:7f:81:05:fc               -                 -
0               lo        127.0.0.1/8                 -       127.0.0.1                 -
0             wrp0      10.0.1.252/24 00:12:c1:10:00:fc      10.0.1.252                 -
1        bond2.120    172.16.120.1/24 00:1c:7f:81:02:fc    172.16.120.1                 -
1        bond2.121    172.16.121.1/24 00:1c:7f:81:02:fc    172.16.121.1                 -
1        bond2.122    172.16.122.1/24 00:1c:7f:81:02:fc    172.16.122.1                 -
1        bond2.123    172.16.123.1/24 00:1c:7f:81:02:fc    172.16.123.1                 -
1               lo        127.0.0.1/8                 -               -                 -
1            wrp64      10.0.1.250/24 00:12:c1:10:08:fc      10.0.1.250                 -
500           Mgmt                  - 00:1c:7f:xx:xx:xx               -                 -
500             lo        127.0.0.1/8                 -               -                 -
500          magg1                  - 00:1c:7f:xx:xx:xx               -                 -

[Expert@DallasticXL-s01-01:0]# gclish

[Global] DallasticXL-s01-01:0> set router-id 1.2.3.4
1_01:
success

1_02:
success

[Global] DallasticXL-s01-01:0> show router-id
1_01:

Router ID:  1.2.3.4


1_02:

Router ID:  1.2.3.4

You can add loopback interfaces in VSNext (R82 plus ElasticXL), but I don't personally see a reason to.

Alex-
MVP Silver
MVP Silver
2 weeks ago
In response to Bob_Zimmerman
Jump to solution

Possible, but I never tried an unused IP.

The advanced routing guide states that the router-id must either be a loopback other than 127.0.0.1 or a local VIP.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_Advanced_Routing_AdminG...

Even if it'd work otherwise, I prefer to stay in officially recommend setups, which avoids discussions with TAC should we need to make an SR for dynamic routing.

Bob_Zimmerman
MVP Gold
MVP Gold
2 weeks ago
In response to Alex-
Jump to solution

They actually say it must be a cluster VIP, which means it can't be a loopback, since loopbacks can't have VIPs. That is utter nonsense.

The router ID is just a 32-bit integer to identify every instance of a given router. 0x00000000 is treated inconsistently by various vendors, so it should not be used. Two separate devices which both act as the same router (e.g, two members of an HA cluster) must have the same router ID for graceful restart to work properly (graceful restart must still be explicitly enabled). Those are the only actual constraints on what number to use for a router ID.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
2 weeks ago
In response to Bob_Zimmerman
Jump to solution

You are 100% right, that does work.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
2 weeks ago
Jump to solution

@Alex- is right. R82+ vsnext does support loopback, but traditional vsx does not.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events