Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
madu1
Contributor
Jump to solution

VSX - Virtual Switch/Router query

Question regarding VSX...

I have a VS with a VLAN 20 interface on 10.1.1.1.

I need to create a second VS and would ideally like the same network behind it, but it won't let me use VLAN 20 as it's already is use on another VS.

Hugely over simplified diagram below showing what I'd like to achieve.  The reasoning (because I'm sure you're wondering) is because VPN's on VS1 are screwed, so while that's being debugged I was hoping for a really quick fix by creating a new VS and bringing certain critical VPN traffic in through VS2 and still being able to access the kit on VLAN 20 that is already behind VS1.

Documentation hasn't been massively helpful in explaining this scenario.  Is there a way to do what I need?  I basically need to create the 'green line' on the diagram.

Would a Virtual Switch allow me to do this?

I'm also happy to have a different VLAN and subnet on VS2 if that's easier.  I'm guessing a Virtual Router is needed in that case?  But it's running VSLS and I gather VR's and VSLS don't play nicely?

(R81.20, managed from Multi Domain)

Drawing2.jpg

0 Kudos
2 Solutions

Accepted Solutions
Lesley
Leader Leader
Leader

Overlap with IP space should not be the issue here as stated in

 https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/VSX-Rou...

Overlapping IP Address Space

VSX facilitates connectivity when multiple network segments share the same IP address range (IP address space).

This scenario occurs when a single VSX Gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses.

Thus, it is feasible that more than one endpoint in a VSX environment will have the identical IP address, provided that each is located behind different Virtual System.

Overlapping IP address space in VSX environments is possible because each Virtual System maintains its own unique state and routing tables.

These tables can contain identical entries, but within different, segregated contexts.

Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more external IP addresses.

The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping IP address ranges, using NAT at each Virtual System.

VLAN overlap can be solve by adding indeed a virtual switch. See also this topic for more info 

https://community.checkpoint.com/t5/Maestro/Maestro-VSX-Configure-same-vlan-id-on-different-bond-VS/...

 

 

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

Chris_Atkinson
Employee Employee
Employee

Using a Virtual Switch is the usual way this is facilitated.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
4 Replies
Lesley
Leader Leader
Leader

Overlap with IP space should not be the issue here as stated in

 https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/VSX-Rou...

Overlapping IP Address Space

VSX facilitates connectivity when multiple network segments share the same IP address range (IP address space).

This scenario occurs when a single VSX Gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses.

Thus, it is feasible that more than one endpoint in a VSX environment will have the identical IP address, provided that each is located behind different Virtual System.

Overlapping IP address space in VSX environments is possible because each Virtual System maintains its own unique state and routing tables.

These tables can contain identical entries, but within different, segregated contexts.

Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more external IP addresses.

The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping IP address ranges, using NAT at each Virtual System.

VLAN overlap can be solve by adding indeed a virtual switch. See also this topic for more info 

https://community.checkpoint.com/t5/Maestro/Maestro-VSX-Configure-same-vlan-id-on-different-bond-VS/...

 

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
madu1
Contributor

Hi @Lesley , thanks for your reply.  I've tried this tonight while the office is empty and it works a treat.

I was a bit nervous at first because I couldn't create the virtual switch on VLAN 20 - once again, it was already in use.

I deleted that VLAN interface from VS1, then added the virtual switch on the main VSX using VLAN 20, added a new interface "Leads to virtual switch" on VS1 and put the IP back on.  Same on VS2, then VPN'd into VS2 and I can hit the servers originally behind VS1.  Great result!

I've learnt to name the virtual switch something relevant as you can't rename it once it's there.

Thanks again!

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Using a Virtual Switch is the usual way this is facilitated.

CCSM R77/R80/ELITE
0 Kudos
madu1
Contributor

Thanks again.  I don't have much day-to-day exposure to VSX, it's quite a simple deployment and it's sat there and ran with no problems for 10 years.  I'm glad I've learnt something new 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events