This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Josh28
Contributor
‎2023-11-21 12:47 AM

Replacement of a VRRP Cluster

Dear mates,

I’m in charge of replacing a cluster of 12600 configured in VRRP and running R80.20 to a new cluster of 6600 running R81.10. From experience of hardware replacement, and after reading some posts here, I think of doing the following:

  • Install the new gateways using the clish configuration of the old ones by keeping the same IP address configurations, proxy arp / mcvr configs, static routes etc, fwkern.conf file etc...
  • Power off the 12600 standby member and connect to R81.10 new standby member
  • On the 6600, from the CMA, redo SIC, change cluster version and hardware model, fix topology as some interfaces name changed and install the policy in the gateway
  • Power off the 12600 primary unit to force traffic on the new 6600
  • Repeat the operation with the second R81.10 member etc…

Usually I don’t really think of ARP issue because of the VMAC feature of ClusterXL but being new to VRRP, I’m having seconds thoughts.

On the router side, on the PortChannel of the 12600 I see the following mac addresses :

  • Mac addresses declared on the MCVR configuration: to the best of my knowledge, those shouldn’t be impacted by the replacement as I’ll configure them on the new devices
  • Physical mac address associated to the bonding interfaces (50+ Vlans): this mac address will change and therefore require a G-ARP to update the mac address table of the router ? Easiest way would be to clear the arp cache on the Port-channel to force the update

Am I wrong on the analysis ? Is there some things I should verify before/after the switch of the cluster ?

Any tips will be appreciated.

Thanks.

0 Kudos
5 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-11-21 12:56 AM

What about the SMS ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Josh28
Contributor
‎2023-11-21 01:08 AM
In response to G_W_Albrecht

Hi,

Management is done through a MDSM already running R81.10.

0 Kudos
Martijn
Advisor
Advisor
‎2023-11-21 02:01 AM

Hi,

So the new cluster will also be VRRP or are you going for ClusterXL on the new setup?

If you stay with VRRP and use the same VRRP router ID, the virtual MAC for the virtual IP's should not change.
ClusterXL by default uses the MAC of the active member, but with VMAC you can change this if you like.

Yes, the MAC of the bonding group will change, but if you are going for VRRP or VMAC that should not be a problem for the virtual IP's. But in these cases it is always good to know how to send a G-ARP to clear ARP tables. Just in case. Or have access to routers to clear the ARP table on those devices.

Note the current MAC for virtual IP's and compare them after the change.

And with hardware swap, check if local.arp files are created for static NAT.

Martijn


0 Kudos
Josh28
Contributor
‎2023-11-21 02:59 AM
In response to Martijn

Hi Martijn,

Thanks for your reply.

 

I’ll Keep VRRP as it’s a customer’s request, with the same configuration so VRIDs will be the same.

I found this post about sending garp from the Check Point https://community.checkpoint.com/t5/Security-Gateways/How-to-send-G-ARP-manually/td-p/69895 seems usefull, but I might just do it from the router side.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-11-21 04:14 AM

I really believe below process would be best for you.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Replace-Upgrade-Cluster/td-p/69216

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events