Re: [FW-1] Cluster interface and members interface question

Subject:	Re: [FW-1] Cluster interface and members interface question
From:	Anuska Aragón Fernández <anuska.aragon AT SI.UNIRIOJA DOT ES>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 26 May 2003 12:30:38 +0200

jim wrote:

Use same subnet addressing for all 3 interfaces.

;-)  That's a good one.

Now seriously, I can't, I have just one address in this network.

Also from the FireWall-1 Guide:

"Definig the Cluster IP Addresses
The IP addresses of the cluster itself are different than the IP
addresses of the cluster members. In FIGURE 5-4, the IP address of the
cluster is 172.20.10.100, and this is the only legal IP address in the
cluster.
...
By default, a member network of cluster member interfaces in a given
direction is the sane subnet on which the cluster interface resides. In
this example, the cluster external interface IP address is not in the
same subnet as the external member network. Because of this, the cluster
interface in that direction must be explicitly associated with the
cluster member network in the same direction.
"

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Anuska
Aragón Fernández
Sent: 26 May 2003 10:40
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Cluster interface and members interface question

Environment: RedHat Linux 7.3 / Fw1 NG FP3 HF2 / Cluster XL

As far as I know (reading the doc) it is possible to define members network
interface in a network and the cluster interface in another network. So, I
have defined, one of the cluster interfaces with real addressing and the
members interfaces with private address as:

Cluster interface 130.x.x.1
(in the member network tab, I have put 192.168.10.0)

Member node1 interface 192.168.10.1
Member node2 interface 192.168.10.2

At each member, I have defined a static route so that the 130.x.x.0 network
will be directed through the corresponding interface.

I have a cisco router conencted to the 130.x.x.0 network (address
130.x.x.2). At the router I have defined a static arp entry with the
multicast mac adress of the cluster

arp 130.x.x.1 0100.xxx.xxx ARPA

My problem comes when I try to connect to the router.  The cluster send arp
request, but with the private address of the members :

11:33:45.110728 arp who-has 130.x.x.2 tell 192.168.10.2

And the router doesn't reply. I think because it doesn't known where this
network is.

Does it mean that the router (or any node connected to the network) needs to
know about the node members network? I don't think this should be like this.
I think the cluster should send the arp packets with the cluster address
instead of the member address.

Am I doing something wrong? Have I missed something?  Any clue?

Thanks in advance.

--
A n u s k a     A r a g ó n
Servicio Informático              e-mail: anuska.aragon AT si.unirioja DOT es
Universidad de La Rioja           Tf.:    +34 941 299233
Av. de La Paz 93, 26004 Logroño   Fax:    +34 941 299180

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



--
A n u s k a     A r a g ó n
Servicio Informático              e-mail: anuska.aragon AT si.unirioja DOT es
Universidad de La Rioja           Tf.:    +34 941 299233
Av. de La Paz 93, 26004 Logroño   Fax:    +34 941 299180

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Cluster interface and members interface question, Anuska Aragón Fernández Re: [FW-1] Cluster interface and members interface question, jim Re: [FW-1] Cluster interface and members interface question, Anuska Aragón Fernández <= Re: [FW-1] Cluster interface and members interface question, jim Re: [FW-1] Cluster interface and members interface question, Anuska Aragón Fernández

Previous by Date:	Re: [FW-1] Cluster interface and members interface question, jim
Next by Date:	[FW-1] Certifcates/Internal CA, Olaf Lange
Previous by Thread:	Re: [FW-1] Cluster interface and members interface question, jim
Next by Thread:	Re: [FW-1] Cluster interface and members interface question, jim
Indexes:	[Date] [Thread] [Top] [All Lists]