Re: [FW-1] Cluster interface and members interface question

Subject:	Re: [FW-1] Cluster interface and members interface question
From:	jim <jim AT FIXMYFIREWALL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 26 May 2003 12:06:23 +0100

3 addresses from the same subnet. A traditional approach rather than the one
you are attempting.

I am well aware of what the guide tell us and have been in contact with
checkpoint since the beginning of the year because of issues this type of
config can and has caused. Using the same subnet approach works fine and I
suggest you use it until checkpoint ratify the 2private 1public scenario



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Anuska
Aragón Fernández
Sent: 26 May 2003 11:31
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Cluster interface and members interface question


jim wrote:
> Use same subnet addressing for all 3 interfaces.
;-)  That's a good one.

Now seriously, I can't, I have just one address in this network.

Also from the FireWall-1 Guide:

"Definig the Cluster IP Addresses
The IP addresses of the cluster itself are different than the IP addresses
of the cluster members. In FIGURE 5-4, the IP address of the cluster is
172.20.10.100, and this is the only legal IP address in the cluster. ... By
default, a member network of cluster member interfaces in a given direction
is the sane subnet on which the cluster interface resides. In this example,
the cluster external interface IP address is not in the same subnet as the
external member network. Because of this, the cluster interface in that
direction must be explicitly associated with the cluster member network in
the same direction. "


>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> Anuska Aragón Fernández
> Sent: 26 May 2003 10:40
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] Cluster interface and members interface question
>
>
> Environment: RedHat Linux 7.3 / Fw1 NG FP3 HF2 / Cluster XL
>
> As far as I know (reading the doc) it is possible to define members
> network interface in a network and the cluster interface in another
> network. So, I have defined, one of the cluster interfaces with real
> addressing and the members interfaces with private address as:
>
> Cluster interface 130.x.x.1
> (in the member network tab, I have put 192.168.10.0)
>
> Member node1 interface 192.168.10.1
> Member node2 interface 192.168.10.2
>
> At each member, I have defined a static route so that the 130.x.x.0
> network will be directed through the corresponding interface.
>
> I have a cisco router conencted to the 130.x.x.0 network (address
> 130.x.x.2). At the router I have defined a static arp entry with the
> multicast mac adress of the cluster
>
> arp 130.x.x.1 0100.xxx.xxx ARPA
>
> My problem comes when I try to connect to the router.  The cluster
> send arp request, but with the private address of the members :
>
> 11:33:45.110728 arp who-has 130.x.x.2 tell 192.168.10.2
>
> And the router doesn't reply. I think because it doesn't known where
> this network is.
>
> Does it mean that the router (or any node connected to the network)
> needs to know about the node members network? I don't think this
> should be like this. I think the cluster should send the arp packets
> with the cluster address instead of the member address.
>
> Am I doing something wrong? Have I missed something?  Any clue?
>
> Thanks in advance.
>
> --
> A n u s k a     A r a g ó n
> Servicio Informático              e-mail: anuska.aragon AT si.unirioja DOT es
> Universidad de La Rioja           Tf.:    +34 941 299233
> Av. de La Paz 93, 26004 Logroño   Fax:    +34 941 299180
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================


--
A n u s k a     A r a g ó n
Servicio Informático              e-mail: anuska.aragon AT si.unirioja DOT es
Universidad de La Rioja           Tf.:    +34 941 299233
Av. de La Paz 93, 26004 Logroño   Fax:    +34 941 299180

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Cluster interface and members interface question, Anuska Aragón Fernández Re: [FW-1] Cluster interface and members interface question, jim Re: [FW-1] Cluster interface and members interface question, Anuska Aragón Fernández Re: [FW-1] Cluster interface and members interface question, jim <= Re: [FW-1] Cluster interface and members interface question, Anuska Aragón Fernández

Previous by Date:	[FW-1] Secureplatform on HP DL360 with Broadcom NIC, Siddhartha Jain(IT)
Next by Date:	Re: [FW-1] Cluster interface and members interface question, Anuska Aragón Fernández
Previous by Thread:	Re: [FW-1] Cluster interface and members interface question, Anuska Aragón Fernández
Next by Thread:	Re: [FW-1] Cluster interface and members interface question, Anuska Aragón Fernández
Indexes:	[Date] [Thread] [Top] [All Lists]