This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AndyDixon
Participant
‎2020-01-02 02:28 AM

Migration of IP details on VLAN interface

Hello all.

Firstly, Happy New Year!

This question is more of a sense check to the hive mind as I am still finding my way with CP security gateways.

My organisation is migrating it's primary Internet access link to a new supplier.  I have arranged a suitable out of hours maintenance window and want to verify that what I'm planning will work.

Our perimeter 4900s running R80.20 are configured with 4 x 1Gb interfaces bonded together.  There are a number of VLAN interfaces that are members of this bond.  One of the VLAN interfaces for the Internet access.  This is VLAN 4 (10.145.91.144/28).  The 4900s are in HA and each VLAN interface has a ClusterXL VIP.  VLAN 4 node 1: 10.145.91.155, node 2: 10.145.91.156, VIP: 10.145.91.147

The 4900s are configured with a default static route to push all non-specific traffic to the next hop IP address of 10.145.91.150.  This is the HSRP IP address of our current provider's CPE.

I have requested that the new supplier configure their CPE IP details to mirror that of our current provider and to tag the sub-interfaces with VLAN 4.

The new supplier is presenting their circuits via 10Gb capable copper cables. Our 4900s have the expansion card installed allowing 4 x 10Gb interfaces.  During the maintenance window, my plan is to amend the IP addressing of the existing VLAN 4 VLAN interface and VIP to something unused by my organisation, create a new VLAN interface on one of the 10Gb physical interfaces tagged with VLAN 4, re-apply the IP addressing, import topology and create the VIP. 

The 4900s should then send all default routed traffic out of a different interface.

I have a pair of spare 4600s that I'm using to duplicate the bond and VLANs and my plan appears to work but I want to ensure that I'm not missing any 'gotchas'. 

Many thanks in advance.

Andy

0 Kudos
1 Reply
Maarten_Sjouw
Champion
Champion
‎2020-01-02 03:05 AM

There is only 1 issue with your approach, do not in any case use the "Get Interfaces with Topology" !
We have seen to many times already that in a existing cluster configuration, interfaces lost their manually added configuration. Sometimes you need different settings for Anti-Spoofing than the gateway thinks for instance.
When you change the connection to the new interface all you need to do is go into the topology page of the gateway cluster and double click the internet access interface, as per your plan you do not change the IP addresses, so all you will need to change is the actual interface for the connection, this is where you can find it:

Cluster interface.JPG

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events