This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Raska
Advisor
Advisor
‎2022-09-01 01:58 AM

VSX topology same as "Router on the stick"

Hello Mates,

I am looking for advice regarding topology and setup.

Currently the customer has one environment with FW where is FW connected only with one bond interface with many VLANs. Those VLANs are used by different customers for their networks like Internal, External etc.

 

They want to have the same setup with VSX where only one interface is and its Bond. Every VLAN is totally different subnet and is assigned directly to VS. This customer VLAN should be terminated on VS as Bond5.10 IP X.X.X.X.

I am not sure if this is possible to configure it like this as I have only a little experience with VSX design. To make it more complex, the HW is maestro.

I also find that Virtual Router is not supported. sk148074

01413513AllVirtual Routers are not supported.

 

So there can be only Virtual switch but I dont know how to fit in this design. Or do we need it at all? Can it work without?

I am attaching the topology and my question is if this setup is possible and supported or advice how to configure it. Thx

Preview file
122 KB
0 Kudos
7 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-09-01 08:36 AM

You only need a switch context if you want multiple VSs to talk on the same VLAN on the same interface (either physical or bond). In your topology, I don't see the same VLAN being used in two places, so you don't need a switch context.

0 Kudos
Martin_Raska
Advisor
Advisor
‎2022-09-01 11:58 PM
In response to Bob_Zimmerman

ok, I also think that Switch is not fitting in the design. Then there is no problem with only one physical interface(with multiple VLANs) for incoming and outgoing traffic as on the topology?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-09-02 07:15 AM
In response to Martin_Raska

I would recommend using a separate physical interface for managing the VSX box.

If it's meant to be a cluster, you should also use a separate physical interface for sync. Sync should always be run through a switch, not over a simple cable connected directly between the units.

There's definitely no problem with using only one physical interface or only one bond for all VS traffic, though. Just keep in mind that tightly couples your firewall member failure domain with your switch/router failure domain.

0 Kudos
Martin_Raska
Advisor
Advisor
‎2022-09-02 07:32 AM
In response to Bob_Zimmerman

Its maestro, there is separate Mgmt connections and its one member from SC console view, one security group.

0 Kudos
Martin_Raska
Advisor
Advisor
‎2022-09-05 02:43 AM
In response to Bob_Zimmerman

I hear this first time, could you explain, please?

"Sync should always be run through a switch, not over a simple cable connected directly between the units."

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-09-05 02:47 AM
In response to Martin_Raska

For ClusterXL different topologies for the Sync network have pros and cons.

In the context of Maestro please refer:

sk168092: Maestro Dual Site configuration using a direct connection and via L2 switches

CCSM R77/R80/ELITE
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-09-02 07:25 AM
In response to Martin_Raska

Further to Bob's comments some of these recommendations are enforced by your hardware choice being Maestro since the corresponding ports are on the orchestrators. 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events