This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Juan_Concepcion
Advisor
‎2020-07-27 07:53 AM

R80.40 Linux Commands and VSX

I have been working with a customer and have not been able to figure out (nor is it documented) on how to run linux commands at the cli level.  Example, was trying to do a simple arping to update upstream switch after a hardware cutover so proceeded to run 'arping -U -c 3 -I bond1.10 -s 10.10.10.1 10.10.10.254' - immediately got "bind: could not assign requested address". This to me looks like it's trying to do it at vs 0 context instead of the vs I'm currently in.

Any help would be appreciated.

 

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion
‎2020-07-27 01:49 PM

When you are trying to run arping on an IP that is not local to it's interface, you will get this error, to prevent this:

Enable binding to non-local IP addresses on-the-fly:
cat /proc/sys/net/ipv4/ip_nonlocal_bind
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
cat /proc/sys/net/ipv4/ip_nonlocal_bind

Replace the 1 with a 0 to turn it off again.

Regards, Maarten
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2020-07-29 07:27 AM
In response to Maarten_Sjouw

To expand a bit on why this is relevant, VSX tries to hide a lot of how it works. Really, it's VRFs (R80.30 and earlier) or network namespaces (R80.40). Each physical member gets a VRF or NetNS for each VS you define. These VRFs/NetNSs are then clustered like any other Check Point cluster. To provide the illusion of the VS being a single thing which can move between the physical cluster members, you only have to specify one IP address for each interface. That IP is the cluster VIP. In the background, the management then sets up the VRFs/NetNSs on the physical members with automatically-allocated off-net IP addresses.

Check Point includes wrappers for many Linux commands which makes them work in the individual VRF/NetNS and show results from the cluster. 'ifconfig', for example, is wrapped and shows you the cluster IPs rather than the member IPs on the interfaces. If you use /sbin/ifconfig, you will see the member IPs.

As a result of this, all IPs on the same network as the VS's IP are inherently not on the same network as the members' IPs. Therefore you have to use this ip_nonlocal_bind trick to use arping to resolve addresses in the VS's networks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top