Re: Moving VRRP to VSX ClusterXL

ramakrishnan · ‎2023-03-21

Dears,

I am in process of migrating[Not upgrading] Checkpoint firewall from One Data Center to Another Data Center. Source DC has Checkpoint where VRRP has been configured. I want to plan those CP firewalls to another DC with ClusterXL [VSX firewalls].

With my limited knowledge of VRRP, there should be VMAC on VRRP IP will be burn[If I am not wrong there should be some calculation to arrive VMAC] where that will be learned in downstream switch, and downstream servers will have that VIP as gateway. So the traffic flow hits the sw then fwd the packet to ACTIVE CP FW. Is my understanding correct?

On the other hand, in Cluster VSX all Cluster members will have the same IP address, [Note CLuster in HA mode] how MAC will learn how the server will reach out to ACTIVE cluster members. Admin guide document says Active member will do ARP response...

And How should I do this migration [VRRP IP to Cluster VSX] without changing the gateway at the server side?

should I create a virtual interface on VSX cluster[my target DC fw] with that VRRP IP address?

Magnus-Holmberg · ‎2023-03-21

All your VSX cluster members will have diff IP. This for VS0

if you migrating a cluster to vsx, this cluster will be in one or more VS.

the VS only use one IP and the VS is only active on one box at the time.

i would recommend to run it in VSLS mode
if you run it in HA you can’t change VS instances without downtime. (Adding extra performance)

https://www.youtube.com/c/MagnusHolmberg-NetSec

ramakrishnan · ‎2023-03-21

Thanks Magnus for the response.

So having said that, one side CP cluster running on VRRP [hece we have VRRP IP] other side we going to have VSX clusterXL on HA[cant decide on VSLS / HA now] so my questing is at the server side If dont want to perform any gateway change I can "reuse" same VRRP IP on the interface so that will be shared y all VSX members so active will respond to ARP req.

so there will some momentry MAC updation will happen ? Please see attached overview diagram

ramakrishnan · ‎2023-03-22

Can anyone help me to validate attached approach method?

ramakrishnan · ‎2023-04-05

Dear All,

As I explained in the diagram, would it be necessary to trigger traffic to gw IP address from server node? Typically when we configure IP address on VS interfaces (just re-using VRRP IP) there will be GARP will trigger that's the basic implementation design for an any L3 devices? Or only GARP will trigger at the time of failover between cluster?

emmap · ‎2023-04-05

A cluster failover will trigger a GARP, yes. When you move from the old gateway to the new VS, established connections will drop as out of state and need to be restarted, generally in all this process the ARPs take care of themselves.

ramakrishnan · ‎2023-04-06

So you mean to say that, when we move to Old VRRP to new VS clusterXL model, established connection will get dropped out do we need to do failover? in order to ARP table update? From downstream switch MAC table perspective need to re-initiate the connection?

Are you a member of CheckMates?

Moving VRRP to VSX ClusterXL