This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
madu1
Contributor
‎2024-06-26 11:45 AM
Jump to solution

VSX - Virtual Switch/Router query

Question regarding VSX...

I have a VS with a VLAN 20 interface on 10.1.1.1.

I need to create a second VS and would ideally like the same network behind it, but it won't let me use VLAN 20 as it's already is use on another VS.

Hugely over simplified diagram below showing what I'd like to achieve.  The reasoning (because I'm sure you're wondering) is because VPN's on VS1 are screwed, so while that's being debugged I was hoping for a really quick fix by creating a new VS and bringing certain critical VPN traffic in through VS2 and still being able to access the kit on VLAN 20 that is already behind VS1.

Documentation hasn't been massively helpful in explaining this scenario.  Is there a way to do what I need?  I basically need to create the 'green line' on the diagram.

Would a Virtual Switch allow me to do this?

I'm also happy to have a different VLAN and subnet on VS2 if that's easier.  I'm guessing a Virtual Router is needed in that case?  But it's running VSLS and I gather VR's and VSLS don't play nicely?

(R81.20, managed from Multi Domain)

Drawing2.jpg

0 Kudos
2 Solutions

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2024-06-26 12:17 PM
Jump to solution

Overlap with IP space should not be the issue here as stated in

 https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/VSX-Rou...

Overlapping IP Address Space

VSX facilitates connectivity when multiple network segments share the same IP address range (IP address space).

This scenario occurs when a single VSX Gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses.

Thus, it is feasible that more than one endpoint in a VSX environment will have the identical IP address, provided that each is located behind different Virtual System.

Overlapping IP address space in VSX environments is possible because each Virtual System maintains its own unique state and routing tables.

These tables can contain identical entries, but within different, segregated contexts.

Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more external IP addresses.

The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping IP address ranges, using NAT at each Virtual System.

VLAN overlap can be solve by adding indeed a virtual switch. See also this topic for more info 

https://community.checkpoint.com/t5/Maestro/Maestro-VSX-Configure-same-vlan-id-on-different-bond-VS/...

 

 

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-06-26 06:32 PM
Jump to solution

Using a Virtual Switch is the usual way this is facilitated.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
4 Replies
Lesley
MVP Gold
MVP Gold
‎2024-06-26 12:17 PM
Jump to solution

Overlap with IP space should not be the issue here as stated in

 https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/VSX-Rou...

Overlapping IP Address Space

VSX facilitates connectivity when multiple network segments share the same IP address range (IP address space).

This scenario occurs when a single VSX Gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses.

Thus, it is feasible that more than one endpoint in a VSX environment will have the identical IP address, provided that each is located behind different Virtual System.

Overlapping IP address space in VSX environments is possible because each Virtual System maintains its own unique state and routing tables.

These tables can contain identical entries, but within different, segregated contexts.

Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more external IP addresses.

The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping IP address ranges, using NAT at each Virtual System.

VLAN overlap can be solve by adding indeed a virtual switch. See also this topic for more info 

https://community.checkpoint.com/t5/Maestro/Maestro-VSX-Configure-same-vlan-id-on-different-bond-VS/...

 

 

-------
Please press "Accept as Solution" if my post solved it 🙂
madu1
Contributor
‎2024-06-26 01:56 PM
In response to Lesley
Jump to solution

Hi @Lesley , thanks for your reply.  I've tried this tonight while the office is empty and it works a treat.

I was a bit nervous at first because I couldn't create the virtual switch on VLAN 20 - once again, it was already in use.

I deleted that VLAN interface from VS1, then added the virtual switch on the main VSX using VLAN 20, added a new interface "Leads to virtual switch" on VS1 and put the IP back on.  Same on VS2, then VPN'd into VS2 and I can hit the servers originally behind VS1.  Great result!

I've learnt to name the virtual switch something relevant as you can't rename it once it's there.

Thanks again!

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2024-06-26 06:32 PM
Jump to solution

Using a Virtual Switch is the usual way this is facilitated.

CCSM R77/R80/ELITE
0 Kudos
madu1
Contributor
‎2024-06-27 12:44 AM
In response to Chris_Atkinson
Jump to solution

Thanks again.  I don't have much day-to-day exposure to VSX, it's quite a simple deployment and it's sat there and ran with no problems for 10 years.  I'm glad I've learnt something new 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events