I'm looking at the ClusterXL documentation trying to figure out how to
do logical interfaces in the "New Mode" High Availability. Is it even
possible?
I know that Check Point, for the most part, just ignores the existence of
logical interfaces. You just define the logical interfaces in the
topology, but include their networks in the anti-spoofing configuration
of the physical interface. Things just work out.
In our old Stonebeat setup, we could get away with it. We're moving to
ClusterXL, and I'd like to go to New Mode (to be ready to go to load
sharing). The firewall in question has more interfaces, but we'll just
look at one example.
Say I've got firewall A and B. Presently, I have both with,
ce0 10.10.100.1/24
ce0:1 10.10.200.1/24
That is, they have the same IP addresses, but in our 3rd party OPSEC
product or in Legacy Mode, that's how things work. Only one machine has
it's interfaces up at any given time.
I need to re-IP for New Mode. I've got these for the "real" IPs of the
interfaces,
A:
ce0 10.10.100.254/24
ce0:1 10.10.200.254/24
B:
ce0 10.10.100.253/24
ce0:1 10.10.200.253/24
And the ClusterXL needs to assign 10.10.100.1 and 10.10.200.1 as the
virtual IP to those cluster interfaces.
Now, setting up ce0 is straight forward. I give the unique ce0 address
for each machine and specify 10.10.100.1 as the cluster IP. ClusterXL
does the magic to create the virtual 10.10.100.1 on the ce0 interfaces.
But what about ce0:1? Historically, I've set up a ce0_1 interface and
given it the IP address, and then added its networks to the topology of
ce0 to handle the anti-spoofing. The firewall knew that the IP address
on that interface belonged to itself, that it was associated with ce0
didn't really matter. And the anti-spoofing was taken care of by
configuring the physical interface. But with ClusterXL, the firewall
needs to set up the virtual 10.10.200.1 IP address on ce0. I've added
a ce0_1 to the Topology tab, and it all looks nice and pretty, but it
doesn't seem to work. How do I associate a virtual cluster interface with
a physical cluster interface and get the logical interface's virtual
IP working?
--
Crist J. Clark crist.clark AT globalstar DOT com
Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact postmaster AT globalstar DOT com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
