This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2022-04-05 12:13 PM

multihome VIP clusterXL

Hi, 

Has anyone tried to multihome a VIP in clusterXL?  It would be temporary.  We're moving a DMZ network from one firewall to another, otherwise have to change default routes & reboot 20 linux servers.   

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2022-04-05 02:08 PM

You mean use multiple subnets on the same physical interface with ClusterXL?
Pretty sure this is NOT supported.

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2022-04-05 02:29 PM
In response to PhoneBoy

Same subnet different IPs

The current VIP is 192.168.10.22 and I want it to also listen on 192.168.10.26 temporarily.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-05 02:33 PM
In response to Daniel_Kavan

Pretty sure that's not supported either (multiple VIPs on the same subnet).
That said, you could probably get the same effect by setting up a static ARP for .26 to give the same MAC as .22, so the packets are received by the relevant gateway. 

Daniel_Kavan
MVP Gold
MVP Gold
‎2022-04-06 12:03 PM
In response to PhoneBoy

Maybe we will try that.   I guess even if it doesn't survive a reboot, I could add it back.  Also, you'd only be able to put that on one of the cluster members I assume, so that may be a complication.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-04-06 12:44 PM
In response to Daniel_Kavan

As long as you don't need the cluster to send traffic from the VIP, you can just add a proxy ARP statement for it. Be sure to add it on both members. That will cause the active member to reply to ARP requests for the IP in question using the same mechanism which causes the active member to reply to ARP requests for the VIP. As long as ARP gets the traffic to the member, you should be fine.

Proxy ARP entries in clish survive reboot as long as you run 'save config'.

Daniel_Kavan
MVP Gold
MVP Gold
‎2022-04-18 11:59 AM
In response to Bob_Zimmerman

eth2 .25 cluster member A

eth2 .24 cluster member B

.26 is the new VIP and .22 is the IP on the old hardware. 

 

So, just to be clear I could add a proxy ARP for .22 in the web ui on each member.

IPv4 Address 192.168.10.22

Interface name eth2 or I can choose MAC and use the same MAC on the respective cluster member.

Real IP on member A will be 192.168.10.25, .24 on B

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-04-18 12:31 PM
In response to Daniel_Kavan

I would add it on the command line, but yes. That's fundamentally how the inbound leg of a ClusterXL VIP works in the first place.

As long as you don't need to negotiate dynamic routing with both IPs, it will work.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events